ipn/ipnlocal: return error on missing --unattended on CLI up on Windows

Maybe not the best long-term fix, but better than letting the user start the server for a millisecond just to have it all torn down as their CLI command finishes running. Updates #7055 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-02-07 14:36:55 -08:00
532 changed files with 9778 additions and 41135 deletions
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@ -0,0 +1,31 @@
+name: CIFuzz
+on: [] # was: [pull_request], but disabled in https://github.com/tailscale/tailscale/pull/7156
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  Fuzzing:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Build Fuzzers
+      id: build
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'tailscale'
+        dry-run: false
+        language: go
+    - name: Run Fuzzers
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'tailscale'
+        fuzz-seconds: 300
+        dry-run: false
+        language: go
+    - name: Upload Crash
+      uses: actions/upload-artifact@v3
+      if: failure() && steps.build.outcome == 'success'
+      with:
+        name: artifacts
+        path: ./out/artifacts
--- a/.github/workflows/codeql-analysis.yml.disabled
+++ b/.github/workflows/codeql-analysis.yml.disabled
@ -17,8 +17,6 @@ on:
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]
-  merge_group:
-    branches: [ main ]
  schedule:
    - cron: '31 14 * * 5'

--- a/.github/workflows/cross-android.yml
+++ b/.github/workflows/cross-android.yml
@ -0,0 +1,55 @@
+name: Android-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Android smoke build
+      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
+      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
+      # some Android breakages early.
+      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
+      env:
+        GOOS: android
+        GOARCH: arm64
+      run: go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@ -0,0 +1,63 @@
+name: Darwin-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: macOS build cmd
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: macOS build tests
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - name: iOS build most
+      env:
+        GOOS: ios
+        GOARCH: arm64
+      run: go install ./ipn/... ./wgengine/ ./types/... ./control/controlclient
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@ -0,0 +1,57 @@
+name: FreeBSD-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: FreeBSD build cmd
+      env:
+        GOOS: freebsd
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: FreeBSD build tests
+      env:
+        GOOS: freebsd
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-loong64.yml
+++ b/.github/workflows/cross-loong64.yml
@ -0,0 +1,57 @@
+name: Loongnix-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Loongnix build cmd
+      env:
+        GOOS: linux
+        GOARCH: loong64
+      run: go build ./cmd/...
+
+    - name: Loongnix build tests
+      env:
+        GOOS: linux
+        GOARCH: loong64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@ -0,0 +1,57 @@
+name: OpenBSD-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: OpenBSD build cmd
+      env:
+        GOOS: openbsd
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: OpenBSD build tests
+      env:
+        GOOS: openbsd
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-wasm.yml
+++ b/.github/workflows/cross-wasm.yml
@ -0,0 +1,58 @@
+name: Wasm-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Wasm client build
+      env:
+        GOOS: js
+        GOARCH: wasm
+      run: go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
+
+    - name: tsconnect static build
+      # Use our custom Go toolchain, we set build tags (to control binary size)
+      # that depend on it.
+      run: |
+        ./tool/go run ./cmd/tsconnect --fast-compression build
+        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@ -0,0 +1,57 @@
+name: Windows-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Windows build cmd
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: Windows build tests
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@ -0,0 +1,33 @@
+name: depaware
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+
+    - name: depaware
+      run: go run github.com/tailscale/depaware --check
+        tailscale.com/cmd/tailscaled
+        tailscale.com/cmd/tailscale
+        tailscale.com/cmd/derper
--- a/.github/workflows/docker-file-build.yml.disabled
+++ b/.github/workflows/docker-file-build.yml.disabled
@ -1,15 +0,0 @@
-name: "Dockerfile build"
-on: 
-  push:
-    branches:
-    - main
-  pull_request:
-    branches:
-      - "*"
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: "Build Docker image"
-      run: docker build .
--- a/.github/workflows/go-licenses.yml.disabled
+++ b/.github/workflows/go-licenses.yml.disabled
@ -17,7 +17,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  update-licenses:
+  tailscale:
    runs-on: ubuntu-latest

    steps:
@ -25,7 +25,7 @@ jobs:
        uses: actions/checkout@v3

      - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v3
        with:
          go-version-file: go.mod

@ -42,7 +42,7 @@ jobs:
          go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl

      - name: Get access token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0
        id: generate-token
        with:
          app_id: ${{ secrets.LICENSING_APP_ID }}
@ -50,11 +50,11 @@ jobs:
          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}

      - name: Send pull request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
+        uses: peter-evans/create-pull-request@ad43dccb4d726ca8514126628bec209b8354b6dd #v4.1.4
        with:
          token: ${{ steps.generate-token.outputs.token }}
-          author: License Updater <noreply+license-updater@tailscale.com>
-          committer: License Updater <noreply+license-updater@tailscale.com>
+          author: License Updater <noreply@tailscale.com>
+          committer: License Updater <noreply@tailscale.com>
          branch: licenses/cli
          commit-message: "licenses: update tailscale{,d} licenses"
          title: "licenses: update tailscale{,d} licenses"
--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@ -0,0 +1,42 @@
+name: go generate
+
+on:
+  push:
+    branches:
+      - main
+      - "release-branch/*"
+  pull_request:
+    branches:
+      - "*"
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: check 'go generate' is clean
+        run: |
+          if [[ "${{github.ref}}" == release-branch/* ]]
+          then
+            pkgs=$(go list ./... | grep -v dnsfallback)
+          else
+            pkgs=$(go list ./... | grep -v dnsfallback)
+          fi
+          go generate $pkgs
+          echo
+          echo
+          git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
--- a/.github/workflows/go_mod_tidy.yml
+++ b/.github/workflows/go_mod_tidy.yml
@ -0,0 +1,35 @@
+name: go mod tidy
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - "*"
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: check 'go mod tidy' is clean
+        run: |
+          ./tool/go mod tidy
+          echo
+          echo
+          git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
--- a/.github/workflows/golangci-lint.yml.disabled
+++ b/.github/workflows/golangci-lint.yml.disabled
@ -1,40 +0,0 @@
-name: golangci-lint
-on:
-  # For now, only lint pull requests, not the main branches.
-  pull_request:
-
-  # TODO(andrew): enable for main branch after an initial waiting period.
-  #push:
-  #  branches:
-  #    - main
-
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pull-requests: read
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  golangci:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v4
-        with:
-          go-version-file: go.mod
-          cache: false
-
-      - name: golangci-lint
-        # Note: this is the 'v3' tag as of 2023-04-17
-        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299
-        with:
-          version: v1.52.2
-
-          # Show only new issues if it's a pull request.
-          only-new-issues: true
--- a/.github/workflows/installer.yml.disabled
+++ b/.github/workflows/installer.yml.disabled
@ -1,102 +0,0 @@
-name: test installer.sh
-
-on:
-  push:
-    branches:
-      - "main"
-    paths:
-      - scripts/installer.sh
-  pull_request:
-    branches:
-      - "*"
-    paths:
-      - scripts/installer.sh
-
-jobs:
-  test:
-    strategy:
-      # Don't abort the entire matrix if one element fails.
-      fail-fast: false
-      # Don't start all of these at once, which could saturate Github workers.
-      max-parallel: 4
-      matrix:
-        image:
-          # This is a list of Docker images against which we test our installer.
-          # If you find that some of these no longer exist, please feel free
-          # to remove them from the list.
-          # When adding new images, please only use official ones.
-          - "debian:oldstable-slim"
-          - "debian:stable-slim"
-          - "debian:testing-slim"
-          - "debian:sid-slim"
-          - "ubuntu:18.04"
-          - "ubuntu:20.04"
-          - "ubuntu:22.04"
-          - "ubuntu:22.10"
-          - "ubuntu:23.04"
-          - "elementary/docker:stable"
-          - "elementary/docker:unstable"
-          - "parrotsec/core:lts-amd64"
-          - "parrotsec/core:latest"
-          - "kalilinux/kali-rolling"
-          - "kalilinux/kali-dev"
-          - "oraclelinux:9"
-          - "oraclelinux:8"
-          - "fedora:latest"
-          - "rockylinux:8.7"
-          - "rockylinux:9"
-          - "amazonlinux:latest"
-          - "opensuse/leap:latest"
-          - "opensuse/tumbleweed:latest"
-          - "archlinux:latest"
-          - "alpine:3.14"
-          - "alpine:latest"
-          - "alpine:edge"
-        deps:
-          # Run all images installing curl as a dependency.
-          - curl
-        include:
-          # Check a few images with wget rather than curl.
-          - { image: "debian:oldstable-slim", deps: "wget" }
-          - { image: "debian:sid-slim", deps: "wget" }
-          - { image: "ubuntu:23.04", deps: "wget" }
-          # Ubuntu 16.04 also needs apt-transport-https installed.
-          - { image: "ubuntu:16.04", deps: "curl apt-transport-https" }
-          - { image: "ubuntu:16.04", deps: "wget apt-transport-https" }
-    runs-on: ubuntu-latest
-    container:
-      image: ${{ matrix.image }}
-      options: --user root
-    steps:
-    - name: install dependencies (yum)
-      # tar and gzip are needed by the actions/checkout below.
-      run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}
-      if: |
-        contains(matrix.image, 'centos')
-        || contains(matrix.image, 'oraclelinux')
-        || contains(matrix.image, 'fedora')
-        || contains(matrix.image, 'amazonlinux')
-    - name: install dependencies (zypper)
-      # tar and gzip are needed by the actions/checkout below.
-      run: zypper --non-interactive install tar gzip
-      if: contains(matrix.image, 'opensuse')
-    - name: install dependencies (apt-get)
-      run: |
-        apt-get update
-        apt-get install -y ${{ matrix.deps }}
-      if: |
-        contains(matrix.image, 'debian')
-        || contains(matrix.image, 'ubuntu')
-        || contains(matrix.image, 'elementary')
-        || contains(matrix.image, 'parrotsec')
-        || contains(matrix.image, 'kalilinux')
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: run installer
-      run: scripts/installer.sh
-      # Package installation can fail in docker because systemd is not running
-      # as PID 1, so ignore errors at this step. The real check is the
-      # `tailscale --version` command below.
-      continue-on-error: true
-    - name: check tailscale version
-      run: tailscale --version
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@ -0,0 +1,45 @@
+name: license
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+
+    - name: Run license checker
+      run: ./scripts/check_license_headers.sh .
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@ -0,0 +1,70 @@
+name: Linux race
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Build test wrapper
+      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
+
+    - name: Basic build
+      run: go build ./cmd/...
+
+    - name: Run tests and benchmarks with -race flag on linux
+      run: go test -exec=/tmp/testwrapper -race -bench=. -benchtime=1x ./...
+
+    - name: Check that no tracked files in the repo have been modified
+      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
+
+    - name: Check that no files have been added to the repo
+      run: |
+        # Note: The "error: pathspec..." you see below is normal!
+        # In the success case in which there are no new untracked files,
+        # git ls-files complains about the pathspec not matching anything.
+        # That's OK. It's not worth the effort to suppress. Please ignore it.
+        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
+        then
+          echo "Build/test created untracked files in the repo (file names above)."
+          exit 1
+        fi
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -0,0 +1,80 @@
+name: Linux
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Basic build
+      run: go build ./cmd/...
+
+    - name: Build test wrapper
+      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
+
+    - name: Build variants
+      run: |
+        go install --tags=ts_include_cli ./cmd/tailscaled
+        go install --tags=ts_omit_aws ./cmd/tailscaled
+
+    - name: Get QEMU
+      run: |
+        sudo apt-get -y update
+        sudo apt-get -y install qemu-user
+
+    - name: Run tests on linux
+      run: go test -exec=/tmp/testwrapper -bench=. -benchtime=1x ./...
+
+    - name: Check that no tracked files in the repo have been modified
+      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
+
+    - name: Check that no files have been added to the repo
+      run: |
+        # Note: The "error: pathspec..." you see below is normal!
+        # In the success case in which there are no new untracked files,
+        # git ls-files complains about the pathspec not matching anything.
+        # That's OK. It's not worth the effort to suppress. Please ignore it.
+        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
+        then
+          echo "Build/test created untracked files in the repo (file names above)."
+          exit 1
+        fi
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@ -0,0 +1,67 @@
+name: Linux 32-bit
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Basic build
+      run: GOARCH=386 go build ./cmd/...
+
+    - name: Run tests on linux
+      run: GOARCH=386 go test -bench=. -benchtime=1x ./...
+
+    - name: Check that no tracked files in the repo have been modified
+      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
+
+    - name: Check that no files have been added to the repo
+      run: |
+        # Note: The "error: pathspec..." you see below is normal!
+        # In the success case in which there are no new untracked files,
+        # git ls-files complains about the pathspec not matching anything.
+        # That's OK. It's not worth the effort to suppress. Please ignore it.
+        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
+        then
+          echo "Build/test created untracked files in the repo (file names above)."
+          exit 1
+        fi
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@ -0,0 +1,119 @@
+name: static-analysis
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  gofmt:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+    - name: Run gofmt (goimports)
+      run: |
+        OUT=$(go run golang.org/x/tools/cmd/goimports -d --format-only .)
+        [ -z "$OUT" ] || (echo "Not gofmt'ed: $OUT" && exit 1)
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
+  vet:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+
+    - name: Run go vet
+      run: go vet ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
+  staticcheck:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        goos: [linux, windows, darwin]
+        goarch: [amd64]
+        include:
+          - goos: windows
+            goarch: 386
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+
+
+    - name: Install staticcheck
+      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
+
+    - name: Print staticcheck version
+      run: "staticcheck -version"
+
+    - name: "Run staticcheck (${{ matrix.goos }}/${{ matrix.goarch }})"
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/test.yml.disabled
+++ b/.github/workflows/test.yml.disabled
@ -1,500 +0,0 @@
-# This is our main "CI tests" workflow. It runs everything that should run on
-# both PRs and merged commits, and for the latter reports failures to slack.
-name: CI
-
-env:
-  # Our fuzz job, powered by OSS-Fuzz, fails periodically because we upgrade to
-  # new Go versions very eagerly. OSS-Fuzz is a little more conservative, and
-  # ends up being unable to compile our code.
-  #
-  # When this happens, we want to disable the fuzz target until OSS-Fuzz catches
-  # up. However, we also don't want to forget to turn it back on when OSS-Fuzz
-  # can once again build our code.
-  #
-  # This variable toggles the fuzz job between two modes:
-  #  - false: we expect fuzzing to be happy, and should report failure if it's not.
-  #  - true: we expect fuzzing is broken, and should report failure if it start working.
-  TS_FUZZ_CURRENTLY_BROKEN: false
-
-on:
-  push:
-    branches:
-      - "main"
-      - "release-branch/*"
-  pull_request:
-    branches:
-      - "*"
-  merge_group:
-    branches:
-      - "main"
-
-concurrency:
-  # For PRs, later CI runs preempt previous ones. e.g. a force push on a PR
-  # cancels running CI jobs and starts all new ones.
-  #
-  # For non-PR pushes, concurrency.group needs to be unique for every distinct
-  # CI run we want to have happen. Use run_id, which in practice means all
-  # non-PR CI runs will be allowed to run without preempting each other.
-  group: ${{ github.workflow }}-$${{ github.pull_request.number || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          - goarch: amd64
-          - goarch: amd64
-            buildflags: "-race"
-          - goarch: "386" # thanks yaml
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-
-    - name: build all
-      run: ./tool/go build ${{matrix.buildflags}} ./...
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: build variant CLIs
-      run: |
-        export TS_USE_TOOLCHAIN=1
-        ./build_dist.sh --extra-small ./cmd/tailscaled
-        ./build_dist.sh --box ./cmd/tailscaled
-        ./build_dist.sh --extra-small --box ./cmd/tailscaled
-        rm -f tailscaled
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: get qemu # for tstest/archtest
-      if: matrix.goarch == 'amd64' && matrix.variant == ''
-      run: |
-        sudo apt-get -y update
-        sudo apt-get -y install qemu-user
-    - name: build test wrapper
-      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
-    - name: test all
-      run: PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}}
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: bench all
-      run: PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ 
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: check that no tracked files changed
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-    - name: check that no new files were added
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-  windows:
-    runs-on: windows-2022
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-
-    - name: Install Go
-      uses: actions/setup-go@v4
-      with:
-        go-version-file: go.mod
-        cache: false
-
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-go-2-
-    - name: test
-      # Don't use -bench=. -benchtime=1x.
-      # Somewhere in the layers (powershell?)
-      # the equals signs cause great confusion.
-      run: go test -bench . -benchtime 1x ./...
-
-  vm:
-    runs-on: ["self-hosted", "linux", "vm"]
-    # VM tests run with some privileges, don't let them run on 3p PRs.
-    if: github.repository == 'tailscale/tailscale'
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: Run VM tests
-      run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
-      env:
-        HOME: "/tmp"
-        TMPDIR: "/tmp"
-        XDB_CACHE_HOME: "/var/lib/ghrunner/cache"
-  
-  cross: # cross-compile checks, build only.
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          # Note: linux/amd64 is not in this matrix, because that goos/goarch is
-          # tested more exhaustively in the 'test' job above.
-          - goos: linux
-            goarch: arm64
-          - goos: linux
-            goarch: "386" # thanks yaml
-          - goos: linux
-            goarch: loong64
-          - goos: linux
-            goarch: arm
-            goarm: "5"
-          - goos: linux
-            goarch: arm
-            goarm: "7"
-          # macOS
-          - goos: darwin
-            goarch: amd64
-          - goos: darwin
-            goarch: arm64
-          # Windows
-          - goos: windows
-            goarch: amd64
-          - goos: windows
-            goarch: arm64
-          # BSDs
-          - goos: freebsd
-            goarch: amd64
-          - goos: openbsd
-            goarch: amd64
-
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
-    - name: build all
-      run: ./tool/go build ./cmd/...
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        GOARM: ${{ matrix.goarm }}
-        CGO_ENABLED: "0"
-    - name: build tests
-      run: ./tool/go test -exec=true ./...
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        CGO_ENABLED: "0"
-
-  ios: # similar to cross above, but iOS can't build most of the repo. So, just
-       #make it build a few smoke packages.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: build some
-      run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
-      env:
-        GOOS: ios
-        GOARCH: arm64
-
-  android:
-    # similar to cross above, but android fails to build a few pieces of the
-    # repo. We should fix those pieces, they're small, but as a stepping stone,
-    # only test the subset of android that our past smoke test checked.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
-      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
-      # some Android breakages early.
-      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
-    - name: build some
-      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
-      env:
-        GOOS: android
-        GOARCH: arm64
-
-  wasm: # builds tsconnect, which is the only wasm build we support
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-go-2-
-    - name: build tsconnect client
-      run: ./tool/go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-      env:
-        GOOS: js
-        GOARCH: wasm
-    - name: build tsconnect server
-      # Note, no GOOS/GOARCH in env on this build step, we're running a build
-      # tool that handles the build itself.
-      run: |
-        ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
-
-  tailscale_go: # Subset of tests that depend on our custom Go toolchain.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: test tailscale_go
-      run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...
-
-
-  fuzz:
-    # This target periodically breaks (see TS_FUZZ_CURRENTLY_BROKEN at the top
-    # of the file), so it's more complex than usual: the 'build fuzzers' step
-    # might fail, and depending on the value of 'TS_FUZZ_CURRENTLY_BROKEN', that
-    # might or might not be fine. The steps after the build figure out whether
-    # the success/failure is expected, and appropriately pass/fail the job
-    # overall accordingly.
-    #
-    # Practically, this means that all steps after 'build fuzzers' must have an
-    # explicit 'if' condition, because the default condition for steps is
-    # 'success()', meaning "only run this if no previous steps failed".
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-22.04
-    steps:
-    - name: build fuzzers
-      id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      # continue-on-error makes steps.build.conclusion be 'success' even if
-      # steps.build.outcome is 'failure'. This means this step does not
-      # contribute to the job's overall pass/fail evaluation.
-      continue-on-error: true
-      with:
-       oss-fuzz-project-name: 'tailscale'
-       dry-run: false
-       language: go
-    - name: report unexpectedly broken fuzz build
-      if: steps.build.outcome == 'failure' && env.TS_FUZZ_CURRENTLY_BROKEN != 'true'
-      run: |
-        echo "fuzzer build failed, see above for why"
-        echo "if the failure is due to OSS-Fuzz not being on the latest Go yet,"
-        echo "set TS_FUZZ_CURRENTLY_BROKEN=true in .github/workflows/test.yml"
-        echo "to temporarily disable fuzzing until OSS-Fuzz works again."
-        exit 1
-    - name: report unexpectedly working fuzz build
-      if: steps.build.outcome == 'success' && env.TS_FUZZ_CURRENTLY_BROKEN == 'true'
-      run: |
-        echo "fuzzer build succeeded, but we expect it to be broken"
-        echo "please set TS_FUZZ_CURRENTLY_BROKEN=false in .github/workflows/test.yml"
-        echo "to reenable fuzz testing"
-        exit 1
-    - name: run fuzzers
-      id: run
-      # Run the fuzzers whenever they're able to build, even if we're going to
-      # report a failure because TS_FUZZ_CURRENTLY_BROKEN is set to the wrong
-      # value.
-      if: steps.build.outcome == 'success'
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 300
-        dry-run: false
-        language: go
-    - name: upload crash
-      uses: actions/upload-artifact@v3
-      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
-      with:
-        name: artifacts
-        path: ./out/artifacts
-
-  depaware:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check depaware
-      run: |
-        export PATH=$(./tool/go env GOROOT)/bin:$PATH
-        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check
-
-  go_generate:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check that 'go generate' is clean
-      run: |
-        pkgs=$(./tool/go list ./... | grep -v dnsfallback)
-        ./tool/go generate $pkgs
-        echo
-        echo
-        git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
-
-  go_mod_tidy:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check that 'go mod tidy' is clean
-      run: |
-        ./tool/go mod tidy
-        echo
-        echo
-        git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
-
-  licenses:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check licenses
-      run: ./scripts/check_license_headers.sh .
-
-  staticcheck:
-    runs-on: ubuntu-22.04
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        goos: ["linux", "windows", "darwin"]
-        goarch: ["amd64"]
-        include:
-          - goos: "windows"
-            goarch: "386"
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: install staticcheck
-      run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
-    - name: run staticcheck
-      run: |
-        export GOROOT=$(./tool/go env GOROOT)
-        export PATH=$GOROOT/bin:$PATH
-        staticcheck -- $(./tool/go list ./... | grep -v tempfork)
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-
-  notify_slack:
-    if: always()
-    # Any of these jobs failing causes a slack notification.
-    needs: 
-      - android
-      - test
-      - windows
-      - vm
-      - cross
-      - ios
-      - wasm
-      - tailscale_go
-      - fuzz
-      - depaware
-      - go_generate
-      - go_mod_tidy
-      - licenses
-      - staticcheck
-    runs-on: ubuntu-22.04
-    steps:
-    - name: notify  
-      # Only notify slack for merged commits, not PR failures.
-      #
-      # It may be tempting to move this condition into the job's 'if' block, but
-      # don't: Github only collapses the test list into "everything is OK" if
-      # all jobs succeeded. A skipped job results in the list staying expanded.
-      # By having the job always run, but skipping its only step as needed, we
-      # let the CI output collapse nicely in PRs.
-      if: failure() && github.event_name == 'push'
-      uses: ruby/action-slack@v3.2.1
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "title": "Failure: ${{ github.workflow }}",
-              "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",         
-              "text": "${{ github.repository }}@${{ github.ref_name }}: <https://github.com/${{ github.repository }}/commit/${{ github.sha }}|${{ github.sha }}>",
-              "fields": [{ "value": ${{ toJson(github.event.head_commit.message) }}, "short": false }],
-              "footer": "${{ github.event.head_commit.committer.name }} at ${{ github.event.head_commit.timestamp }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-
-  check_mergeability:
-    if: always()
-    runs-on: ubuntu-22.04
-    needs:
-      - android
-      - test
-      - windows
-      - vm
-      - cross
-      - ios
-      - wasm
-      - tailscale_go
-      - fuzz
-      - depaware
-      - go_generate
-      - go_mod_tidy
-      - licenses
-      - staticcheck
-    steps:
-    - name: Decide if change is okay to merge
-      if: github.event_name != 'push'
-      uses: re-actors/alls-green@release/v1
-      with:
-        jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/tsconnect-pkg-publish.yml
+++ b/.github/workflows/tsconnect-pkg-publish.yml
@ -0,0 +1,30 @@
+name: "@tailscale/connect npm publish"
+
+on: workflow_dispatch
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up node
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16.x"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Build package
+        # Build with build_dist.sh to ensure that version information is embedded.
+        # GOROOT is specified so that the Go/Wasm that is trigged by build-pk
+        # also picks up our custom Go toolchain.
+        run: |
+          ./build_dist.sh tailscale.com/cmd/tsconnect
+          GOROOT="${HOME}/.cache/tailscale-go" ./tsconnect build-pkg
+
+      - name: Publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.TSCONNECT_NPM_PUBLISH_AUTH_TOKEN }}
+        run: ./tool/yarn --cwd ./cmd/tsconnect/pkg publish --access public
--- a/.github/workflows/update-flake.yml.disabled
+++ b/.github/workflows/update-flake.yml.disabled
@ -1,49 +0,0 @@
-name: update-flake
-
-on:
-  # run action when a change lands in the main branch which updates go.mod. Also
-  # allow manual triggering.
-  push:
-    branches:
-      - main
-    paths:
-      - go.mod
-      - .github/workflows/update-flakes.yml
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  update-flake:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Run update-flakes
-        run: ./update-flake.sh
-
-      - name: Get access token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
-        id: generate-token
-        with:
-          app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
-          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
-
-      - name: Send pull request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
-          committer: Flakes Updater <noreply+flakes-updater@tailscale.com>
-          branch: flakes
-          commit-message: "go.mod.sri: update SRI hash for go.mod changes"
-          title: "go.mod.sri: update SRI hash for go.mod changes"
-          body: Triggered by ${{ github.repository }}@${{ github.sha }}
-          signoff: true
-          delete-branch: true
-          reviewers: danderson
--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@ -0,0 +1,51 @@
+name: VM
+
+on:
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  ubuntu2004-LTS-cloud-base:
+    runs-on: [ self-hosted, linux, vm ]
+
+    if: "(github.repository == 'tailscale/tailscale') && !contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+      - name: Set GOPATH
+        run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV
+
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: Run VM tests
+        run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
+        env:
+          HOME: "/tmp"
+          TMPDIR: "/tmp"
+          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
+
+      - uses: k0kubun/action-slack@v2.0.0
+        with:
+          payload: |
+            {
+              "attachments": [{
+                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                        "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                        "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+                "color": "danger"
+              }]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        if: failure() && github.event_name == 'push'
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -0,0 +1,67 @@
+name: Windows
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: windows-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Install Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike some other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        # TODO(raggi): add a go version here.
+        key: ${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
+
+    - name: Test
+      # Don't use -bench=. -benchtime=1x.
+      # Somewhere in the layers (powershell?)
+      # the equals signs cause great confusion.
+      run: go test -bench . -benchtime 1x ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.gitignore
+++ b/.gitignore
@ -26,14 +26,5 @@ cmd/tailscaled/tailscaled
 # Ignore personal VS Code settings
 .vscode/

-# Support personal project-specific GOPATH
-.gopath/
-
-# Ignore nix build result path
-/result
-
 # Ignore direnv nix-shell environment cache
 .direnv/
-
-/gocross
-/dist
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,61 +0,0 @@
-linters:
-  # Don't enable any linters by default; just the ones that we explicitly
-  # enable in the list below.
-  disable-all: true
-  enable:
-    - bidichk
-    - gofmt
-    - goimports
-    - misspell
-    - revive
-
-# Configuration for how we run golangci-lint
-run:
-  timeout: 5m
-
-issues:
-  # Excluding configuration per-path, per-linter, per-text and per-source
-  exclude-rules:
-    # These are forks of an upstream package and thus are exempt from stylistic
-    # changes that would make pulling in upstream changes harder.
-    - path: tempfork/.*\.go
-      text: "File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`"
-    - path: util/singleflight/.*\.go
-      text: "File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`"
-
-# Per-linter settings are contained in this top-level key
-linters-settings:
-  # Enable all rules by default; we don't use invisible unicode runes.
-  bidichk:
-
-  gofmt:
-    rewrite-rules:
-      - pattern: 'interface{}'
-        replacement: 'any'
-
-  goimports:
-
-  misspell:
-
-  revive:
-    enable-all-rules: false
-    ignore-generated-header: true
-    rules:
-      - name: atomic
-      - name: context-keys-type
-      - name: defer
-        arguments: [[
-          # Calling 'recover' at the time a defer is registered (i.e. "defer recover()") has no effect.
-          "immediate-recover",
-          # Calling 'recover' outside of a deferred function has no effect
-          "recover",
-          # Returning values from a deferred function has no effect
-          "return",
-        ]]
-      - name: duplicated-imports
-      - name: errorf
-      - name: string-of-int
-      - name: time-equal
-      - name: unconditional-recursion
-      - name: useless-break
-      - name: waitgroup-by-value
--- a/11
+++ b/11
@ -47,7 +47,8 @@ RUN go install \
    golang.org/x/crypto/ssh \
    golang.org/x/crypto/acme \
    nhooyr.io/websocket \
-    github.com/mdlayher/netlink
+    github.com/mdlayher/netlink \
+    golang.zx2c4.com/wireguard/device

 COPY . .

@ -61,9 +62,9 @@ ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
 ARG TARGETARCH

 RUN GOARCH=$TARGETARCH go install -ldflags="\
-      -X tailscale.com/version.longStamp=$VERSION_LONG \
-      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
-      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
+      -X tailscale.com/version.Long=$VERSION_LONG \
+      -X tailscale.com/version.Short=$VERSION_SHORT \
+      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot

 FROM alpine:3.16
@ -72,4 +73,4 @@ RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be
 # using build_docker.sh which sets an entrypoint for the image.
-RUN mkdir /tailscale && ln -s /usr/local/bin/containerboot /tailscale/run.sh
+RUN ln -s /usr/local/bin/containerboot /tailscale/run.sh
--- a/Dockerfile.base
+++ b/Dockerfile.base
@ -2,4 +2,4 @@
 # SPDX-License-Identifier: BSD-3-Clause

 FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
--- a/50
+++ b/50
@ -2,13 +2,16 @@ IMAGE_REPO ?= tailscale/tailscale
 SYNO_ARCH ?= "amd64"
 SYNO_DSM ?= "7"

-vet: ## Run go vet
+usage:
+	echo "See Makefile"
+
+vet:
 	./tool/go vet ./...

-tidy: ## Run go mod tidy
+tidy:
 	./tool/go mod tidy

-updatedeps: ## Update depaware deps
+updatedeps:
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
 	# it finds in its $$PATH is the right one.
 	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
@ -16,7 +19,7 @@ updatedeps: ## Update depaware deps
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper

-depaware: ## Run depaware checks
+depaware:
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
 	# it finds in its $$PATH is the right one.
 	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
@ -24,41 +27,42 @@ depaware: ## Run depaware checks
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper

-buildwindows: ## Build tailscale CLI for windows/amd64
+buildwindows:
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-build386: ## Build tailscale CLI for linux/386
+build386:
 	GOOS=linux GOARCH=386 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-buildlinuxarm: ## Build tailscale CLI for linux/arm
+buildlinuxarm:
 	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-buildwasm: ## Build tailscale CLI for js/wasm
+buildwasm:
 	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli

-buildlinuxloong64: ## Build tailscale CLI for linux/loong64
+buildlinuxloong64:
 	GOOS=linux GOARCH=loong64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-buildmultiarchimage: ## Build (and optionally push) multiarch docker image
+buildmultiarchimage:
 	./build_docker.sh

-check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm ## Perform basic checks and compilation tests
+check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm

-staticcheck: ## Run staticcheck.io checks
+staticcheck:
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)

-spk: ## Build synology package for ${SYNO_ARCH} architecture and ${SYNO_DSM} DSM version
-	./tool/go run ./cmd/dist build synology/dsm${SYNO_DSM}/${SYNO_ARCH}
+spk:
+	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}

-spkall: ## Build synology packages for all architectures and DSM versions
-	./tool/go run ./cmd/dist build synology
+spkall:
+	mkdir -p spks
+	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o spks --source=. --goarch=all --dsm-version=all

-pushspk: spk ## Push and install synology package on ${SYNO_HOST} host
+pushspk: spk
 	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
 	scp tailscale.spk root@${SYNO_HOST}:
 	ssh root@${SYNO_HOST} /usr/syno/bin/synopkg install tailscale.spk

-publishdevimage: ## Build and publish tailscale image to location specified by ${REPO}
+publishdevimage:
 	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
@ -66,18 +70,10 @@ publishdevimage: ## Build and publish tailscale image to location specified by $
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
 	TAGS=latest REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh

-publishdevoperator: ## Build and publish k8s-operator image to location specified by ${REPO}
+publishdevoperator:
 	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
 	TAGS=latest REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh
-
-help: ## Show this help
-	@echo "\nSpecify a command. The choices are:\n"
-	@grep -hE '^[0-9a-zA-Z_-]+:.*?## .*$$' ${MAKEFILE_LIST} | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[0;36m%-20s\033[m %s\n", $$1, $$2}'
-	@echo ""
-.PHONY: help
-
-.DEFAULT_GOAL := help
--- a/VERSION.txt
+++ b/VERSION.txt
@ -1 +1 @@
-1.45.0
+1.37.0
--- a/api.md
+++ b/api.md
--- a/atomicfile/atomicfile.go
+++ b/atomicfile/atomicfile.go
@ -8,20 +8,14 @@
 package atomicfile // import "tailscale.com/atomicfile"

 import (
-	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
 )

-// WriteFile writes data to filename+some suffix, then renames it into filename.
-// The perm argument is ignored on Windows. If the target filename already
-// exists but is not a regular file, WriteFile returns an error.
+// WriteFile writes data to filename+some suffix, then renames it
+// into filename. The perm argument is ignored on Windows.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
-	fi, err := os.Stat(filename)
-	if err == nil && !fi.Mode().IsRegular() {
-		return fmt.Errorf("%s already exists and is not a regular file", filename)
-	}
 	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err
--- a/atomicfile/atomicfile_test.go
+++ b/atomicfile/atomicfile_test.go
@ -1,47 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !js && !windows
-
-package atomicfile
-
-import (
-	"net"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strings"
-	"testing"
-)
-
-func TestDoesNotOverwriteIrregularFiles(t *testing.T) {
-	// Per tailscale/tailscale#7658 as one example, almost any imagined use of
-	// atomicfile.Write should likely not attempt to overwrite an irregular file
-	// such as a device node, socket, or named pipe.
-
-	const filename = "TestDoesNotOverwriteIrregularFiles"
-	var path string
-	// macOS private temp does not allow unix socket creation, but /tmp does.
-	if runtime.GOOS == "darwin" {
-		path = filepath.Join("/tmp", filename)
-		t.Cleanup(func() { os.Remove(path) })
-	} else {
-		path = filepath.Join(t.TempDir(), filename)
-	}
-
-	// The least troublesome thing to make that is not a file is a unix socket.
-	// Making a null device sadly requires root.
-	l, err := net.ListenUnix("unix", &net.UnixAddr{Name: path, Net: "unix"})
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer l.Close()
-
-	err = WriteFile(path, []byte("hello"), 0644)
-	if err == nil {
-		t.Fatal("expected error, got nil")
-	}
-	if !strings.Contains(err.Error(), "is not a regular file") {
-		t.Fatalf("unexpected error: %v", err)
-	}
-}
--- a/build_dist.sh
+++ b/build_dist.sh
@ -11,25 +11,42 @@

 set -eu

-go="go"
-if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then
-	go="./tool/go"
+IFS=".$IFS" read -r major minor patch <VERSION.txt
+git_hash=$(git rev-parse HEAD)
+if ! git diff-index --quiet HEAD; then
+	git_hash="${git_hash}-dirty"
+fi
+base_hash=$(git rev-list --max-count=1 HEAD -- VERSION.txt)
+change_count=$(git rev-list --count HEAD "^$base_hash")
+short_hash=$(echo "$git_hash" | cut -c1-9)
+
+if expr "$minor" : "[0-9]*[13579]$" >/dev/null; then
+	patch="$change_count"
+	change_suffix=""
+elif [ "$change_count" != "0" ]; then
+	change_suffix="-$change_count"
+else
+	change_suffix=""
 fi

-eval `CGO_ENABLED=0 GOOS=$($go env GOHOSTOS) GOARCH=$($go env GOHOSTARCH) $go run ./cmd/mkversion`
+long_suffix="$change_suffix-t$short_hash"
+MINOR="$major.$minor"
+SHORT="$MINOR.$patch"
+LONG="${SHORT}$long_suffix"
+GIT_HASH="$git_hash"

 if [ "$1" = "shellvars" ]; then
 	cat <<EOF
-VERSION_MINOR="$VERSION_MINOR"
-VERSION_SHORT="$VERSION_SHORT"
-VERSION_LONG="$VERSION_LONG"
-VERSION_GIT_HASH="$VERSION_GIT_HASH"
+VERSION_MINOR="$MINOR"
+VERSION_SHORT="$SHORT"
+VERSION_LONG="$LONG"
+VERSION_GIT_HASH="$GIT_HASH"
 EOF
 	exit 0
 fi

 tags=""
-ldflags="-X tailscale.com/version.longStamp=${VERSION_LONG} -X tailscale.com/version.shortStamp=${VERSION_SHORT}"
+ldflags="-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}"

 # build_dist.sh arguments must precede go build arguments.
 while [ "$#" -gt 1 ]; do
@ -37,7 +54,7 @@ while [ "$#" -gt 1 ]; do
 	--extra-small)
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube"
+		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap"
 		;;
 	--box)
 		shift
@ -49,4 +66,4 @@ while [ "$#" -gt 1 ]; do
 	esac
 done

-exec $go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
+exec ./tool/go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
--- a/build_docker.sh
+++ b/build_docker.sh
@ -43,9 +43,9 @@ case "$TARGET" in
        tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled, \
        tailscale.com/cmd/containerboot:/usr/local/bin/containerboot" \
      --ldflags="\
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
+        -X tailscale.com/version.Long=${VERSION_LONG} \
+        -X tailscale.com/version.Short=${VERSION_SHORT} \
+        -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
      --base="${BASE}" \
      --tags="${TAGS}" \
      --repos="${REPOS}" \
@ -58,9 +58,9 @@ case "$TARGET" in
    go run github.com/tailscale/mkctr \
      --gopaths="tailscale.com/cmd/k8s-operator:/usr/local/bin/operator" \
      --ldflags="\
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
+        -X tailscale.com/version.Long=${VERSION_LONG} \
+        -X tailscale.com/version.Short=${VERSION_SHORT} \
+        -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
      --base="${BASE}" \
      --tags="${TAGS}" \
      --repos="${REPOS}" \
--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@ -103,7 +103,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 // it as a string.
 // HuJSON is JSON with a few modifications to make it more human-friendly. The primary
 // changes are allowing comments and trailing comments. See the following links for more info:
-// https://tailscale.com/s/acl-format
+// https://tailscale.com/kb/1018/acls?q=acl#tailscale-acl-policy-format
 // https://github.com/tailscale/hujson
 func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 	// Format return errors to be descriptive.
@ -436,7 +436,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 		}
 	}()

-	tests := []ACLTest{{User: source, Allow: []string{dest}}}
+	tests := []ACLTest{ACLTest{User: source, Allow: []string{dest}}}
 	postData, err := json.Marshal(tests)
 	if err != nil {
 		return nil, err
--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@ -12,6 +12,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"

 	"tailscale.com/types/opt"
 )
@ -43,18 +44,17 @@ type Device struct {
 	Name      string   `json:"name"`
 	Hostname  string   `json:"hostname"`

-	ClientVersion     string   `json:"clientVersion"`   // Empty for external devices.
-	UpdateAvailable   bool     `json:"updateAvailable"` // Empty for external devices.
-	OS                string   `json:"os"`
-	Tags              []string `json:"tags"`
-	Created           string   `json:"created"` // Empty for external devices.
-	LastSeen          string   `json:"lastSeen"`
-	KeyExpiryDisabled bool     `json:"keyExpiryDisabled"`
-	Expires           string   `json:"expires"`
-	Authorized        bool     `json:"authorized"`
-	IsExternal        bool     `json:"isExternal"`
-	MachineKey        string   `json:"machineKey"` // Empty for external devices.
-	NodeKey           string   `json:"nodeKey"`
+	ClientVersion     string `json:"clientVersion"`   // Empty for external devices.
+	UpdateAvailable   bool   `json:"updateAvailable"` // Empty for external devices.
+	OS                string `json:"os"`
+	Created           string `json:"created"` // Empty for external devices.
+	LastSeen          string `json:"lastSeen"`
+	KeyExpiryDisabled bool   `json:"keyExpiryDisabled"`
+	Expires           string `json:"expires"`
+	Authorized        bool   `json:"authorized"`
+	IsExternal        bool   `json:"isExternal"`
+	MachineKey        string `json:"machineKey"` // Empty for external devices.
+	NodeKey           string `json:"nodeKey"`

 	// BlocksIncomingConnections is configured via the device's
 	// Tailscale client preferences. This field is only reported
@ -212,20 +212,8 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)

 // AuthorizeDevice marks a device as authorized.
 func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
-	return c.SetAuthorized(ctx, deviceID, true)
-}
-
-// SetAuthorized marks a device as authorized or not.
-func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized bool) error {
-	params := &struct {
-		Authorized bool `json:"authorized"`
-	}{Authorized: authorized}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return err
-	}
 	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
 	if err != nil {
 		return err
 	}
--- a/client/tailscale/dns.go
+++ b/client/tailscale/dns.go
@ -63,7 +63,7 @@ func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, er
 	return b, nil
 }

-func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
+func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData interface{}) ([]byte, error) {
 	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
 	data, err := json.Marshal(&postData)
 	if err != nil {
--- a/client/tailscale/keys.go
+++ b/client/tailscale/keys.go
@ -68,32 +68,12 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 }

 // CreateKey creates a new key for the current user. Currently, only auth keys
-// can be created. It returns the secret key itself, which cannot be retrieved again
+// can be created. Returns the key itself, which cannot be retrieved again
 // later, and the key metadata.
-//
-// To create a key with a specific expiry, use CreateKeyWithExpiry.
-func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (keySecret string, keyMeta *Key, _ error) {
-	return c.CreateKeyWithExpiry(ctx, caps, 0)
-}
-
-// CreateKeyWithExpiry is like CreateKey, but allows specifying a expiration time.
-//
-// The time is truncated to a whole number of seconds. If zero, that means no expiration.
-func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities, expiry time.Duration) (keySecret string, keyMeta *Key, _ error) {
-
-	// convert expirySeconds to an int64 (seconds)
-	expirySeconds := int64(expiry.Seconds())
-	if expirySeconds < 0 {
-		return "", nil, fmt.Errorf("expiry must be positive")
-	}
-	if expirySeconds == 0 && expiry != 0 {
-		return "", nil, fmt.Errorf("non-zero expiry must be at least one second")
-	}
-
+func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (string, *Key, error) {
 	keyRequest := struct {
-		Capabilities  KeyCapabilities `json:"capabilities"`
-		ExpirySeconds int64           `json:"expirySeconds,omitempty"`
-	}{caps, int64(expirySeconds)}
+		Capabilities KeyCapabilities `json:"capabilities"`
+	}{caps}
 	bs, err := json.Marshal(keyRequest)
 	if err != nil {
 		return "", nil, err
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@ -36,7 +36,6 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
-	"tailscale.com/types/tkatype"
 )

 // defaultLocalClient is the default LocalClient when using the legacy
@ -96,9 +95,8 @@ func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string)
 		// a TCP server on a random port, find the random port. For HTTP connections,
 		// we don't send the token. It gets added in an HTTP Basic-Auth header.
 		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
-			// We use 127.0.0.1 and not "localhost" (issue 7851).
 			var d net.Dialer
-			return d.DialContext(ctx, "tcp", "127.0.0.1:"+strconv.Itoa(port))
+			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
 		}
 	}
 	s := safesocket.DefaultConnectionStrategy(lc.socket())
@ -369,34 +367,6 @@ func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
 	return nil
 }

-// DebugPortmap invokes the debug-portmap endpoint, and returns an
-// io.ReadCloser that can be used to read the logs that are printed during this
-// process.
-func (lc *LocalClient) DebugPortmap(ctx context.Context, duration time.Duration, ty, gwSelf string) (io.ReadCloser, error) {
-	vals := make(url.Values)
-	vals.Set("duration", duration.String())
-	vals.Set("type", ty)
-	if gwSelf != "" {
-		vals.Set("gateway_and_self", gwSelf)
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+apitype.LocalAPIHost+"/localapi/v0/debug-portmap?"+vals.Encode(), nil)
-	if err != nil {
-		return nil, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("HTTP %s: %s", res.Status, body)
-	}
-
-	return res.Body, nil
-}
-
 // SetDevStoreKeyValue set a statestore key/value. It's only meant for development.
 // The schema (including when keys are re-read) is not a stable interface.
 func (lc *LocalClient) SetDevStoreKeyValue(ctx context.Context, key, value string) error {
@ -851,30 +821,6 @@ func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key, disa
 	return decodeJSON[*ipnstate.NetworkLockStatus](body)
 }

-// NetworkLockWrapPreauthKey wraps a pre-auth key with information to
-// enable unattended bringup in the locked tailnet.
-func (lc *LocalClient) NetworkLockWrapPreauthKey(ctx context.Context, preauthKey string, tkaKey key.NLPrivate) (string, error) {
-	encodedPrivate, err := tkaKey.MarshalText()
-	if err != nil {
-		return "", err
-	}
-
-	var b bytes.Buffer
-	type wrapRequest struct {
-		TSKey  string
-		TKAKey string // key.NLPrivate.MarshalText
-	}
-	if err := json.NewEncoder(&b).Encode(wrapRequest{TSKey: preauthKey, TKAKey: string(encodedPrivate)}); err != nil {
-		return "", err
-	}
-
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/wrap-preauth-key", 200, &b)
-	if err != nil {
-		return "", fmt.Errorf("error: %w", err)
-	}
-	return string(body), nil
-}
-
 // NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
 func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) error {
 	var b bytes.Buffer
@ -912,15 +858,6 @@ func (lc *LocalClient) NetworkLockSign(ctx context.Context, nodeKey key.NodePubl
 	return nil
 }

-// NetworkLockAffectedSigs returns all signatures signed by the specified keyID.
-func (lc *LocalClient) NetworkLockAffectedSigs(ctx context.Context, keyID tkatype.KeyID) ([]tkatype.MarshaledSignature, error) {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/affected-sigs", 200, bytes.NewReader(keyID))
-	if err != nil {
-		return nil, fmt.Errorf("error: %w", err)
-	}
-	return decodeJSON[[]tkatype.MarshaledSignature](body)
-}
-
 // NetworkLockLog returns up to maxEntries number of changes to network-lock state.
 func (lc *LocalClient) NetworkLockLog(ctx context.Context, maxEntries int) ([]ipnstate.NetworkLockUpdate, error) {
 	v := url.Values{}
@ -946,21 +883,6 @@ func (lc *LocalClient) NetworkLockForceLocalDisable(ctx context.Context) error {
 	return nil
 }

-// NetworkLockVerifySigningDeeplink verifies the network lock deeplink contained
-// in url and returns information extracted from it.
-func (lc *LocalClient) NetworkLockVerifySigningDeeplink(ctx context.Context, url string) (*tka.DeeplinkValidationResult, error) {
-	vr := struct {
-		URL string
-	}{url}
-
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/verify-deeplink", 200, jsonBody(vr))
-	if err != nil {
-		return nil, fmt.Errorf("sending verify-deeplink: %w", err)
-	}
-
-	return decodeJSON[*tka.DeeplinkValidationResult](body)
-}
-
 // SetServeConfig sets or replaces the serving settings.
 // If config is nil, settings are cleared and serving is disabled.
 func (lc *LocalClient) SetServeConfig(ctx context.Context, config *ipn.ServeConfig) error {
@ -1117,6 +1039,7 @@ func (lc *LocalClient) StreamDebugCapture(ctx context.Context) (io.ReadCloser, e
 	}
 	res, err := lc.doLocalRequestNiceError(req)
 	if err != nil {
+		res.Body.Close()
 		return nil, err
 	}
 	if res.StatusCode != 200 {
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@ -6,28 +6,138 @@
 package main

 import (
+	"bytes"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"io"
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
+	"strings"
+	"time"

-	"tailscale.com/kube"
 	"tailscale.com/tailcfg"
+	"tailscale.com/util/multierr"
 )

+// checkSecretPermissions checks the secret access permissions of the current
+// pod. It returns an error if the basic permissions tailscale needs are
+// missing, and reports whether the patch permission is additionally present.
+//
+// Errors encountered during the access checking process are logged, but ignored
+// so that the pod tries to fail alive if the permissions exist and there's just
+// something wrong with SelfSubjectAccessReviews. There shouldn't be, pods
+// should always be able to use SSARs to assess their own permissions, but since
+// we didn't use to check permissions this way we'll be cautious in case some
+// old version of k8s deviates from the current behavior.
+func checkSecretPermissions(ctx context.Context, secretName string) (canPatch bool, err error) {
+	var errs []error
+	for _, verb := range []string{"get", "update"} {
+		ok, err := checkPermission(ctx, verb, secretName)
+		if err != nil {
+			log.Printf("error checking %s permission on secret %s: %v", verb, secretName, err)
+		} else if !ok {
+			errs = append(errs, fmt.Errorf("missing %s permission on secret %q", verb, secretName))
+		}
+	}
+	if len(errs) > 0 {
+		return false, multierr.New(errs...)
+	}
+	ok, err := checkPermission(ctx, "patch", secretName)
+	if err != nil {
+		log.Printf("error checking patch permission on secret %s: %v", secretName, err)
+		return false, nil
+	}
+	return ok, nil
+}
+
+// checkPermission reports whether the current pod has permission to use the
+// given verb (e.g. get, update, patch) on secretName.
+func checkPermission(ctx context.Context, verb, secretName string) (bool, error) {
+	sar := map[string]any{
+		"apiVersion": "authorization.k8s.io/v1",
+		"kind":       "SelfSubjectAccessReview",
+		"spec": map[string]any{
+			"resourceAttributes": map[string]any{
+				"namespace": kubeNamespace,
+				"verb":      verb,
+				"resource":  "secrets",
+				"name":      secretName,
+			},
+		},
+	}
+	bs, err := json.Marshal(sar)
+	if err != nil {
+		return false, err
+	}
+	req, err := http.NewRequest("POST", "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews", bytes.NewReader(bs))
+	if err != nil {
+		return false, err
+	}
+	resp, err := doKubeRequest(ctx, req)
+	if err != nil {
+		return false, err
+	}
+	defer resp.Body.Close()
+	bs, err = io.ReadAll(resp.Body)
+	if err != nil {
+		return false, err
+	}
+	var res struct {
+		Status struct {
+			Allowed bool `json:"allowed"`
+		} `json:"status"`
+	}
+	if err := json.Unmarshal(bs, &res); err != nil {
+		return false, err
+	}
+	return res.Status.Allowed, nil
+}
+
 // findKeyInKubeSecret inspects the kube secret secretName for a data
 // field called "authkey", and returns its value if present.
 func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error) {
-	s, err := kc.GetSecret(ctx, secretName)
+	req, err := http.NewRequest("GET", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", kubeNamespace, secretName), nil)
 	if err != nil {
 		return "", err
 	}
-	ak, ok := s.Data["authkey"]
-	if !ok {
-		return "", nil
+	resp, err := doKubeRequest(ctx, req)
+	if err != nil {
+		if resp != nil && resp.StatusCode == http.StatusNotFound {
+			// Kube secret doesn't exist yet, can't have an authkey.
+			return "", nil
+		}
+		return "", err
 	}
-	return string(ak), nil
+	defer resp.Body.Close()
+
+	bs, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	// We use a map[string]any here rather than import corev1.Secret,
+	// because we only do very limited things to the secret, and
+	// importing corev1 adds 12MiB to the compiled binary.
+	var s map[string]any
+	if err := json.Unmarshal(bs, &s); err != nil {
+		return "", err
+	}
+	if d, ok := s["data"].(map[string]any); ok {
+		if v, ok := d["authkey"].(string); ok {
+			bs, err := base64.StdEncoding.DecodeString(v)
+			if err != nil {
+				return "", err
+			}
+			return string(bs), nil
+		}
+	}
+	return "", nil
 }

 // storeDeviceInfo writes deviceID into the "device_id" data field of the kube
@ -35,38 +145,65 @@ func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error)
 func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string) error {
 	// First check if the secret exists at all. Even if running on
 	// kubernetes, we do not necessarily store state in a k8s secret.
-	if _, err := kc.GetSecret(ctx, secretName); err != nil {
-		if s, ok := err.(*kube.Status); ok {
-			if s.Code >= 400 && s.Code <= 499 {
-				// Assume the secret doesn't exist, or we don't have
-				// permission to access it.
-				return nil
-			}
+	req, err := http.NewRequest("GET", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", kubeNamespace, secretName), nil)
+	if err != nil {
+		return err
+	}
+	resp, err := doKubeRequest(ctx, req)
+	if err != nil {
+		if resp != nil && resp.StatusCode >= 400 && resp.StatusCode <= 499 {
+			// Assume the secret doesn't exist, or we don't have
+			// permission to access it.
+			return nil
 		}
 		return err
 	}

-	m := &kube.Secret{
-		Data: map[string][]byte{
-			"device_id":   []byte(deviceID),
-			"device_fqdn": []byte(fqdn),
+	m := map[string]map[string]string{
+		"stringData": {
+			"device_id":   string(deviceID),
+			"device_fqdn": fqdn,
 		},
 	}
-	return kc.StrategicMergePatchSecret(ctx, secretName, m, "tailscale-container")
+	var b bytes.Buffer
+	if err := json.NewEncoder(&b).Encode(m); err != nil {
+		return err
+	}
+	req, err = http.NewRequest("PATCH", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s?fieldManager=tailscale-container", kubeNamespace, secretName), &b)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/strategic-merge-patch+json")
+	if _, err := doKubeRequest(ctx, req); err != nil {
+		return err
+	}
+	return nil
 }

 // deleteAuthKey deletes the 'authkey' field of the given kube
 // secret. No-op if there is no authkey in the secret.
 func deleteAuthKey(ctx context.Context, secretName string) error {
 	// m is a JSON Patch data structure, see https://jsonpatch.com/ or RFC 6902.
-	m := []kube.JSONPatch{
+	m := []struct {
+		Op   string `json:"op"`
+		Path string `json:"path"`
+	}{
 		{
 			Op:   "remove",
 			Path: "/data/authkey",
 		},
 	}
-	if err := kc.JSONPatchSecret(ctx, secretName, m); err != nil {
-		if s, ok := err.(*kube.Status); ok && s.Code == http.StatusUnprocessableEntity {
+	var b bytes.Buffer
+	if err := json.NewEncoder(&b).Encode(m); err != nil {
+		return err
+	}
+	req, err := http.NewRequest("PATCH", fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s?fieldManager=tailscale-container", kubeNamespace, secretName), &b)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/json-patch+json")
+	if resp, err := doKubeRequest(ctx, req); err != nil {
+		if resp != nil && resp.StatusCode == http.StatusUnprocessableEntity {
 			// This is kubernetes-ese for "the field you asked to
 			// delete already doesn't exist", aka no-op.
 			return nil
@ -76,22 +213,65 @@ func deleteAuthKey(ctx context.Context, secretName string) error {
 	return nil
 }

-var kc *kube.Client
+var (
+	kubeHost      string
+	kubeNamespace string
+	kubeToken     string
+	kubeHTTP      *http.Transport
+)

 func initKube(root string) {
-	if root != "/" {
-		// If we are running in a test, we need to set the root path to the fake
-		// service account directory.
-		kube.SetRootPathForTesting(root)
+	// If running in Kubernetes, set things up so that doKubeRequest
+	// can talk successfully to the kube apiserver.
+	if os.Getenv("KUBERNETES_SERVICE_HOST") == "" {
+		return
 	}
-	var err error
-	kc, err = kube.New()
+
+	kubeHost = os.Getenv("KUBERNETES_SERVICE_HOST") + ":" + os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")
+
+	bs, err := os.ReadFile(filepath.Join(root, "var/run/secrets/kubernetes.io/serviceaccount/namespace"))
 	if err != nil {
-		log.Fatalf("Error creating kube client: %v", err)
+		log.Fatalf("Error reading kube namespace: %v", err)
 	}
-	if root != "/" {
-		// If we are running in a test, we need to set the URL to the
-		// httptest server.
-		kc.SetURL(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
+	kubeNamespace = strings.TrimSpace(string(bs))
+
+	bs, err = os.ReadFile(filepath.Join(root, "var/run/secrets/kubernetes.io/serviceaccount/token"))
+	if err != nil {
+		log.Fatalf("Error reading kube token: %v", err)
+	}
+	kubeToken = strings.TrimSpace(string(bs))
+
+	bs, err = os.ReadFile(filepath.Join(root, "var/run/secrets/kubernetes.io/serviceaccount/ca.crt"))
+	if err != nil {
+		log.Fatalf("Error reading kube CA cert: %v", err)
+	}
+	cp := x509.NewCertPool()
+	cp.AppendCertsFromPEM(bs)
+	kubeHTTP = &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs: cp,
+		},
+		IdleConnTimeout: time.Second,
 	}
 }
+
+// doKubeRequest sends r to the kube apiserver.
+func doKubeRequest(ctx context.Context, r *http.Request) (*http.Response, error) {
+	if kubeHTTP == nil {
+		panic("not in kubernetes")
+	}
+
+	r.URL.Scheme = "https"
+	r.URL.Host = kubeHost
+	r.Header.Set("Authorization", "Bearer "+kubeToken)
+	r.Header.Set("Accept", "application/json")
+
+	resp, err := kubeHTTP.RoundTrip(r)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		return resp, fmt.Errorf("got non-200/201 status code %d", resp.StatusCode)
+	}
+	return resp, nil
+}
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@ -123,7 +123,7 @@ func main() {
 	defer cancel()

 	if cfg.InKubernetes && cfg.KubeSecret != "" {
-		canPatch, err := kc.CheckSecretPermissions(ctx, cfg.KubeSecret)
+		canPatch, err := checkSecretPermissions(ctx, cfg.KubeSecret)
 		if err != nil {
 			log.Fatalf("Some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
 		}
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@ -607,7 +607,7 @@ func TestContainerBoot(t *testing.T) {
 			}()

 			var wantCmds []string
-			for i, p := range test.Phases {
+			for _, p := range test.Phases {
 				lapi.Notify(p.Notify)
 				wantCmds = append(wantCmds, p.WantCmds...)
 				waitArgs(t, 2*time.Second, d, argFile, strings.Join(wantCmds, "\n"))
@ -626,7 +626,7 @@ func TestContainerBoot(t *testing.T) {
 					return nil
 				})
 				if err != nil {
-					t.Fatalf("phase %d: %v", i, err)
+					t.Fatal(err)
 				}
 				err = tstest.WaitFor(2*time.Second, func() error {
 					for path, want := range p.WantFiles {
@ -983,13 +983,13 @@ func (k *kubeServer) serveSecret(w http.ResponseWriter, r *http.Request) {
 			}
 		case "application/strategic-merge-patch+json":
 			req := struct {
-				Data map[string][]byte `json:"data"`
+				Data map[string]string `json:"stringData"`
 			}{}
 			if err := json.Unmarshal(bs, &req); err != nil {
 				panic(fmt.Sprintf("json decode failed: %v. Body:\n\n%s", err, string(bs)))
 			}
 			for key, val := range req.Data {
-				k.secret[key] = string(val)
+				k.secret[key] = val
 			}
 		default:
 			panic(fmt.Sprintf("unknown content type %q", r.Header.Get("Content-Type")))
--- a/cmd/derper/bootstrap_dns.go
+++ b/cmd/derper/bootstrap_dns.go
@ -14,7 +14,6 @@ import (
 	"time"

 	"tailscale.com/syncs"
-	"tailscale.com/util/slicesx"
 )

 const refreshTimeout = time.Minute
@ -53,13 +52,6 @@ func refreshBootstrapDNS() {
 	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
 	defer cancel()
 	dnsEntries := resolveList(ctx, strings.Split(*bootstrapDNS, ","))
-	// Randomize the order of the IPs for each name to avoid the client biasing
-	// to IPv6
-	for k := range dnsEntries {
-		ips := dnsEntries[k]
-		slicesx.Shuffle(ips)
-		dnsEntries[k] = ips
-	}
 	j, err := json.MarshalIndent(dnsEntries, "", "\t")
 	if err != nil {
 		// leave the old values in place
--- a/cmd/derper/bootstrap_dns_test.go
+++ b/cmd/derper/bootstrap_dns_test.go
@ -11,12 +11,14 @@ import (
 	"net/url"
 	"reflect"
 	"testing"
-
-	"tailscale.com/tstest"
 )

 func BenchmarkHandleBootstrapDNS(b *testing.B) {
-	tstest.Replace(b, bootstrapDNS, "log.tailscale.io,login.tailscale.com,controlplane.tailscale.com,login.us.tailscale.com")
+	prev := *bootstrapDNS
+	*bootstrapDNS = "log.tailscale.io,login.tailscale.com,controlplane.tailscale.com,login.us.tailscale.com"
+	defer func() {
+		*bootstrapDNS = prev
+	}()
 	refreshBootstrapDNS()
 	w := new(bitbucketResponseWriter)
 	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape("log.tailscale.io"), nil)
--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@ -72,7 +72,7 @@ func NewManualCertManager(certdir, hostname string) (certProvider, error) {
 		return nil, fmt.Errorf("can not load cert: %w", err)
 	}
 	if err := x509Cert.VerifyHostname(hostname); err != nil {
-		// return nil, fmt.Errorf("cert invalid for hostname %q: %w", hostname, err)
+		return nil, fmt.Errorf("cert invalid for hostname %q: %w", hostname, err)
 	}
 	return &manualCertManager{cert: &cert, hostname: hostname}, nil
 }
@ -81,7 +81,7 @@ func (m *manualCertManager) TLSConfig() *tls.Config {
 	return &tls.Config{
 		Certificates: nil,
 		NextProtos: []string{
-			"http/1.1",
+			"h2", "http/1.1", // enable HTTP/2
 		},
 		GetCertificate: m.getCertificate,
 	}
@ -89,7 +89,7 @@ func (m *manualCertManager) TLSConfig() *tls.Config {

 func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	if hi.ServerName != m.hostname {
-		//return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
+		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
 	}

 	// Return a shallow copy of the cert so the caller can append to its
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@ -3,94 +3,26 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
        filippo.io/edwards25519/field                                from filippo.io/edwards25519
   W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
-   W 💣 github.com/Microsoft/go-winio/internal/fs                    from github.com/Microsoft/go-winio
   W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
-   W    github.com/Microsoft/go-winio/internal/stringbuffer          from github.com/Microsoft/go-winio/internal/fs
   W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
-     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil+
-   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
-   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
-   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
-   L    github.com/google/nftables/expr                              from github.com/google/nftables+
-   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
-   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
-        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
-     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
-        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
-        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
-        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
-  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
-  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
-  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
-   L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
-   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
-   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
        go4.org/netipx                                               from tailscale.com/wgengine/filter
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
-        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
-        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
-        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
-        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
-        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
-        google.golang.org/protobuf/internal/encoding/text            from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/errors                   from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/filedesc                 from google.golang.org/protobuf/internal/encoding/tag+
-        google.golang.org/protobuf/internal/filetype                 from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/internal/flags                    from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/genid                    from google.golang.org/protobuf/encoding/prototext+
-     💣 google.golang.org/protobuf/internal/impl                     from google.golang.org/protobuf/internal/filetype+
-        google.golang.org/protobuf/internal/order                    from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/pragma                   from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
-     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
-     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
-        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
-   L    gvisor.dev/gvisor/pkg/abi                                    from gvisor.dev/gvisor/pkg/abi/linux
-   L 💣 gvisor.dev/gvisor/pkg/abi/linux                              from tailscale.com/util/linuxfw
-   L    gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/abi/linux
-   L    gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/abi/linux
-   L 💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/abi/linux+
-   L 💣 gvisor.dev/gvisor/pkg/hostarch                               from gvisor.dev/gvisor/pkg/abi/linux+
-   L    gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
-   L    gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context
-   L    gvisor.dev/gvisor/pkg/marshal                                from gvisor.dev/gvisor/pkg/abi/linux+
-   L 💣 gvisor.dev/gvisor/pkg/marshal/primitive                      from gvisor.dev/gvisor/pkg/abi/linux
-   L 💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/abi/linux+
-   L    gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
-   L 💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
-   L    gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context
        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
@ -112,13 +44,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
        tailscale.com/net/netknob                                    from tailscale.com/net/netns
-        tailscale.com/net/netmon                                     from tailscale.com/net/sockstats+
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
-        tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
        tailscale.com/net/stun                                       from tailscale.com/cmd/derper
-   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
@ -130,15 +59,12 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
-        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
-        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
        tailscale.com/types/empty                                    from tailscale.com/ipn
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
-        tailscale.com/types/lazy                                     from tailscale.com/version+
        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
@ -151,17 +77,14 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W    tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy
        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-        tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-   L 💣 tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
-        tailscale.com/util/mak                                       from tailscale.com/syncs+
-        tailscale.com/util/multierr                                  from tailscale.com/health+
-        tailscale.com/util/set                                       from tailscale.com/health+
+        tailscale.com/util/mak                                       from tailscale.com/syncs
+        tailscale.com/util/multierr                                  from tailscale.com/health
+        tailscale.com/util/set                                       from tailscale.com/health
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-        tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
        tailscale.com/util/vizerror                                  from tailscale.com/tsweb
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/derp+
@ -182,12 +105,11 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/maps                                        from tailscale.com/types/views
        golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr+
   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http
-        golang.org/x/net/http/httpproxy                              from net/http+
+        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2/hpack                                 from net/http
        golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
@ -208,7 +130,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        bytes                                                        from bufio+
        compress/flate                                               from compress/gzip+
        compress/gzip                                                from internal/profile+
-   L    compress/zlib                                                from debug/elf
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdsa+
@ -232,8 +153,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        crypto/tls                                                   from golang.org/x/crypto/acme+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
-   L    debug/dwarf                                                  from debug/elf
-   L    debug/elf                                                    from golang.org/x/sys/unix
        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@ -247,18 +166,14 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        expvar                                                       from tailscale.com/cmd/derper+
        flag                                                         from tailscale.com/cmd/derper
        fmt                                                          from compress/flate+
-        go/token                                                     from google.golang.org/protobuf/internal/strs
        hash                                                         from crypto+
-   L    hash/adler32                                                 from compress/zlib
        hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
        hash/maphash                                                 from go4.org/mem
        html                                                         from net/http/pprof+
        io                                                           from bufio+
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from github.com/mitchellh/go-ps+
        log                                                          from expvar+
-        log/internal                                                 from log
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
@ -270,7 +185,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        net/http                                                     from expvar+
        net/http/httptrace                                           from net/http+
        net/http/internal                                            from net/http
-        net/http/pprof                                               from tailscale.com/tsweb+
+        net/http/pprof                                               from tailscale.com/tsweb
        net/netip                                                    from go4.org/netipx+
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
@ -283,7 +198,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        regexp                                                       from internal/profile+
        regexp/syntax                                                from regexp
        runtime/debug                                                from golang.org/x/crypto/acme+
-        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
        runtime/trace                                                from net/http/pprof
        sort                                                         from compress/flate+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@ -33,12 +33,11 @@ import (
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
-	"tailscale.com/util/cmpx"
 )

 var (
-	dev        = flag.Bool("dev", false, "run in localhost development mode (overrides -a)")
-	addr       = flag.String("a", ":443", "server HTTP/HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces. Serves HTTPS if the port is 443 and/or -certmode is manual, otherwise HTTP.")
+	dev        = flag.Bool("dev", false, "run in localhost development mode")
+	addr       = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
 	httpPort   = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
 	stunPort   = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
 	configPath = flag.String("c", "", "config file path")
@ -437,7 +436,11 @@ func defaultMeshPSKFile() string {
 }

 func rateLimitedListenAndServeTLS(srv *http.Server) error {
-	ln, err := net.Listen("tcp", cmpx.Or(srv.Addr, ":https"))
+	addr := srv.Addr
+	if addr == "" {
+		addr = ":https"
+	}
+	ln, err := net.Listen("tcp", addr)
 	if err != nil {
 		return err
 	}
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@ -5,6 +5,7 @@
 package main

 import (
+	"expvar"
 	"flag"
 	"fmt"
 	"html"
@ -22,14 +23,13 @@ var (
 	derpMapURL = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://)")
 	listen     = flag.String("listen", ":8030", "HTTP listen address")
 	probeOnce  = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
-	spread     = flag.Bool("spread", true, "whether to spread probing over time")
 	interval   = flag.Duration("interval", 15*time.Second, "probe interval")
 )

 func main() {
 	flag.Parse()

-	p := prober.New().WithSpread(*spread).WithOnce(*probeOnce).WithMetricNamespace("derpprobe")
+	p := prober.New().WithSpread(true).WithOnce(*probeOnce)
 	dp, err := prober.DERP(p, *derpMapURL, *interval, *interval, *interval)
 	if err != nil {
 		log.Fatal(err)
@ -52,6 +52,7 @@ func main() {

 	mux := http.NewServeMux()
 	tsweb.Debugger(mux)
+	expvar.Publish("derpprobe", p.Expvar())
 	mux.HandleFunc("/", http.HandlerFunc(serveFunc(p)))
 	log.Fatal(http.ListenAndServe(*listen, mux))
 }
--- a/cmd/dist/dist.go
+++ b/cmd/dist/dist.go
@ -1,51 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// The dist command builds Tailscale release packages for distribution.
-package main
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"log"
-	"os"
-
-	"tailscale.com/release/dist"
-	"tailscale.com/release/dist/cli"
-	"tailscale.com/release/dist/synology"
-	"tailscale.com/release/dist/unixpkgs"
-)
-
-var synologyPackageCenter bool
-
-func getTargets() ([]dist.Target, error) {
-	var ret []dist.Target
-
-	ret = append(ret, unixpkgs.Targets()...)
-	// Synology packages can be built either for sideloading, or for
-	// distribution by Synology in their package center. When
-	// distributed through the package center, apps can request
-	// additional permissions to use a tuntap interface and control
-	// the NAS's network stack, rather than be forced to run in
-	// userspace mode.
-	//
-	// Since only we can provide packages to Synology for
-	// distribution, we default to building the "sideload" variant of
-	// packages that we distribute on pkgs.tailscale.com.
-	ret = append(ret, synology.Targets(synologyPackageCenter)...)
-	return ret, nil
-}
-
-func main() {
-	cmd := cli.CLI(getTargets)
-	for _, subcmd := range cmd.Subcommands {
-		if subcmd.Name == "build" {
-			subcmd.FlagSet.BoolVar(&synologyPackageCenter, "synology-package-center", false, "build synology packages with extra metadata for the official package center")
-		}
-	}
-
-	if err := cmd.ParseAndRun(context.Background(), os.Args[1:]); err != nil && !errors.Is(err, flag.ErrHelp) {
-		log.Fatal(err)
-	}
-}
--- a/cmd/get-authkey/main.go
+++ b/cmd/get-authkey/main.go
@ -2,7 +2,7 @@
 // SPDX-License-Identifier: BSD-3-Clause

 // get-authkey allocates an authkey using an OAuth API client
-// https://tailscale.com/s/oauth-clients and prints it
+// https://tailscale.com/kb/1215/oauth-clients/ and prints it
 // to stdout for scripts to capture and use.
 package main

@ -16,7 +16,6 @@ import (

 	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/util/cmpx"
 )

 func main() {
@ -30,29 +29,28 @@ func main() {
 	tags := flag.String("tags", "", "comma-separated list of tags to apply to the authkey")
 	flag.Parse()

-	clientID := os.Getenv("TS_API_CLIENT_ID")
+	clientId := os.Getenv("TS_API_CLIENT_ID")
 	clientSecret := os.Getenv("TS_API_CLIENT_SECRET")
-	if clientID == "" || clientSecret == "" {
+	if clientId == "" || clientSecret == "" {
 		log.Fatal("TS_API_CLIENT_ID and TS_API_CLIENT_SECRET must be set")
 	}

-	if *tags == "" {
-		log.Fatal("at least one tag must be specified")
+	baseUrl := os.Getenv("TS_BASE_URL")
+	if baseUrl == "" {
+		baseUrl = "https://api.tailscale.com"
 	}

-	baseURL := cmpx.Or(os.Getenv("TS_BASE_URL"), "https://api.tailscale.com")
-
 	credentials := clientcredentials.Config{
-		ClientID:     clientID,
+		ClientID:     clientId,
 		ClientSecret: clientSecret,
-		TokenURL:     baseURL + "/api/v2/oauth/token",
+		TokenURL:     baseUrl + "/api/v2/oauth/token",
 		Scopes:       []string{"device"},
 	}

 	ctx := context.Background()
 	tsClient := tailscale.NewClient("-", nil)
 	tsClient.HTTPClient = credentials.Client(ctx)
-	tsClient.BaseURL = baseURL
+	tsClient.BaseURL = baseUrl

 	caps := tailscale.KeyCapabilities{
 		Devices: tailscale.KeyDeviceCapabilities{
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@ -22,7 +22,6 @@ import (

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/tailscale/hujson"
-	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/util/httpm"
 )

@ -43,9 +42,9 @@ func modifiedExternallyError() {
 	}
 }

-func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error {
+func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
 	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, client, tailnet, apiKey)
+		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
 		if err != nil {
 			return err
 		}
@ -74,7 +73,7 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
 			return nil
 		}

-		if err := applyNewACL(ctx, client, tailnet, apiKey, *policyFname, controlEtag); err != nil {
+		if err := applyNewACL(ctx, tailnet, apiKey, *policyFname, controlEtag); err != nil {
 			return err
 		}

@ -84,9 +83,9 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
 	}
 }

-func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error {
+func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
 	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, client, tailnet, apiKey)
+		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
 		if err != nil {
 			return err
 		}
@ -114,16 +113,16 @@ func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(contex
 			return nil
 		}

-		if err := testNewACLs(ctx, client, tailnet, apiKey, *policyFname); err != nil {
+		if err := testNewACLs(ctx, tailnet, apiKey, *policyFname); err != nil {
 			return err
 		}
 		return nil
 	}
 }

-func getChecksums(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error {
+func getChecksums(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
 	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, client, tailnet, apiKey)
+		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
 		if err != nil {
 			return err
 		}
@ -152,24 +151,8 @@ func main() {
 		log.Fatal("set envvar TS_TAILNET to your tailnet's name")
 	}
 	apiKey, ok := os.LookupEnv("TS_API_KEY")
-	oauthId, oiok := os.LookupEnv("TS_OAUTH_ID")
-	oauthSecret, osok := os.LookupEnv("TS_OAUTH_SECRET")
-	if !ok && (!oiok || !osok) {
-		log.Fatal("set envvar TS_API_KEY to your Tailscale API key or TS_OAUTH_ID and TS_OAUTH_SECRET to your Tailscale OAuth ID and Secret")
-	}
-	if ok && (oiok || osok) {
-		log.Fatal("set either the envvar TS_API_KEY or TS_OAUTH_ID and TS_OAUTH_SECRET")
-	}
-	var client *http.Client
-	if oiok {
-		oauthConfig := &clientcredentials.Config{
-			ClientID:     oauthId,
-			ClientSecret: oauthSecret,
-			TokenURL:     fmt.Sprintf("https://%s/api/v2/oauth/token", *apiServer),
-		}
-		client = oauthConfig.Client(context.Background())
-	} else {
-		client = http.DefaultClient
+	if !ok {
+		log.Fatal("set envvar TS_API_KEY to your Tailscale API key")
 	}
 	cache, err := LoadCache(*cacheFname)
 	if err != nil {
@ -186,7 +169,7 @@ func main() {
 		ShortUsage: "gitops-pusher [options] apply",
 		ShortHelp:  "Pushes changes to CONTROL",
 		LongHelp:   `Pushes changes to CONTROL`,
-		Exec:       apply(cache, client, tailnet, apiKey),
+		Exec:       apply(cache, tailnet, apiKey),
 	}

 	testCmd := &ffcli.Command{
@ -194,7 +177,7 @@ func main() {
 		ShortUsage: "gitops-pusher [options] test",
 		ShortHelp:  "Tests ACL changes",
 		LongHelp:   "Tests ACL changes",
-		Exec:       test(cache, client, tailnet, apiKey),
+		Exec:       test(cache, tailnet, apiKey),
 	}

 	cksumCmd := &ffcli.Command{
@ -202,7 +185,7 @@ func main() {
 		ShortUsage: "Shows checksums of ACL files",
 		ShortHelp:  "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
 		LongHelp:   "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
-		Exec:       getChecksums(cache, client, tailnet, apiKey),
+		Exec:       getChecksums(cache, tailnet, apiKey),
 	}

 	root := &ffcli.Command{
@ -245,7 +228,7 @@ func sumFile(fname string) (string, error) {
 	return fmt.Sprintf("%x", h.Sum(nil)), nil
 }

-func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname, oldEtag string) error {
+func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag string) error {
 	fin, err := os.Open(policyFname)
 	if err != nil {
 		return err
@ -261,7 +244,7 @@ func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 	req.Header.Set("Content-Type", "application/hujson")
 	req.Header.Set("If-Match", `"`+oldEtag+`"`)

-	resp, err := client.Do(req)
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return err
 	}
@ -282,7 +265,7 @@ func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 	return nil
 }

-func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname string) error {
+func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error {
 	data, err := os.ReadFile(policyFname)
 	if err != nil {
 		return err
@ -300,7 +283,7 @@ func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 	req.SetBasicAuth(apiKey, "")
 	req.Header.Set("Content-Type", "application/hujson")

-	resp, err := client.Do(req)
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return err
 	}
@ -363,7 +346,7 @@ type ACLTestErrorDetail struct {
 	Errors []string `json:"errors"`
 }

-func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string) (string, error) {
+func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) {
 	req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
 	if err != nil {
 		return "", err
@ -372,7 +355,7 @@ func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string
 	req.SetBasicAuth(apiKey, "")
 	req.Header.Set("Accept", "application/hujson")

-	resp, err := client.Do(req)
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return "", err
 	}
--- a/cmd/k8s-operator/manifests/authproxy-rbac.yaml
+++ b/cmd/k8s-operator/manifests/authproxy-rbac.yaml
@ -1,24 +0,0 @@
-# Copyright (c) Tailscale Inc & AUTHORS
-# SPDX-License-Identifier: BSD-3-Clause
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: tailscale-auth-proxy
-rules:
- apiGroups: [""]
-  resources: ["users", "groups"]
-  verbs: ["impersonate"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: tailscale-auth-proxy
-subjects:
- kind: ServiceAccount
-  name: operator
-  namespace: tailscale
-roleRef:
-  kind: ClusterRole
-  name: tailscale-auth-proxy
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/k8s-operator/manifests/operator.yaml
+++ b/cmd/k8s-operator/manifests/operator.yaml
@ -148,8 +148,6 @@ spec:
              value: tailscale/tailscale:unstable
            - name: PROXY_TAGS
              value: tag:k8s
-            - name: AUTH_PROXY
-              value: "false"
          volumeMounts:
          - name: oauth
            mountPath: /oauth
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@ -7,10 +7,8 @@ package main

 import (
 	"context"
-	"crypto/tls"
 	_ "embed"
 	"fmt"
-	"net/http"
 	"os"
 	"strings"
 	"time"
@ -25,8 +23,8 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/transport"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@ -37,16 +35,14 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/kubestore"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/opt"
 	"tailscale.com/util/dnsname"
-	"tailscale.com/version"
 )

 func main() {
@ -55,17 +51,15 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true

 	var (
-		hostname           = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
-		kubeSecret         = defaultEnv("OPERATOR_SECRET", "")
-		operatorTags       = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
-		tsNamespace        = defaultEnv("OPERATOR_NAMESPACE", "")
-		tslogging          = defaultEnv("OPERATOR_LOGGING", "info")
-		clientIDPath       = defaultEnv("CLIENT_ID_FILE", "")
-		clientSecretPath   = defaultEnv("CLIENT_SECRET_FILE", "")
-		image              = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
-		priorityClassName  = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
-		tags               = defaultEnv("PROXY_TAGS", "tag:k8s")
-		shouldRunAuthProxy = defaultBool("AUTH_PROXY", false)
+		hostname         = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
+		kubeSecret       = defaultEnv("OPERATOR_SECRET", "")
+		operatorTags     = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
+		tsNamespace      = defaultEnv("OPERATOR_NAMESPACE", "")
+		tslogging        = defaultEnv("OPERATOR_LOGGING", "info")
+		clientIDPath     = defaultEnv("CLIENT_ID_FILE", "")
+		clientSecretPath = defaultEnv("CLIENT_SECRET_FILE", "")
+		image            = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
+		tags             = defaultEnv("PROXY_TAGS", "tag:k8s")
 	)

 	var opts []kzap.Opts
@ -99,13 +93,6 @@ func main() {
 	}
 	tsClient := tailscale.NewClient("-", nil)
 	tsClient.HTTPClient = credentials.Client(context.Background())
-
-	if shouldRunAuthProxy {
-		hostinfo.SetApp("k8s-operator-proxy")
-	} else {
-		hostinfo.SetApp("k8s-operator")
-	}
-
 	s := &tsnet.Server{
 		Hostname: hostname,
 		Logf:     zlog.Named("tailscaled").Debugf,
@ -168,7 +155,7 @@ waitOnline:
 			loginDone = true
 		case "NeedsMachineAuth":
 			if !machineAuthShown {
-				startlog.Infof("Machine approval required, please visit the admin panel to approve")
+				startlog.Infof("Machine authorization required, please visit the admin panel to authorize")
 				machineAuthShown = true
 			}
 		default:
@ -183,33 +170,31 @@ waitOnline:
 	// the cache that sits a few layers below the builder stuff, which will
 	// implicitly filter what parts of the world the builder code gets to see at
 	// all.
-	nsFilter := cache.ByObject{
-		Field: client.InNamespace(tsNamespace).AsSelector(),
+	nsFilter := cache.ObjectSelector{
+		Field: fields.SelectorFromSet(fields.Set{"metadata.namespace": tsNamespace}),
 	}
-	restConfig := config.GetConfigOrDie()
-	mgr, err := manager.New(restConfig, manager.Options{
-		Cache: cache.Options{
-			ByObject: map[client.Object]cache.ByObject{
+	mgr, err := manager.New(config.GetConfigOrDie(), manager.Options{
+		NewCache: cache.BuilderWithOptions(cache.Options{
+			SelectorsByObject: map[client.Object]cache.ObjectSelector{
 				&corev1.Secret{}:      nsFilter,
 				&appsv1.StatefulSet{}: nsFilter,
 			},
-		},
+		}),
 	})
 	if err != nil {
 		startlog.Fatalf("could not create manager: %v", err)
 	}

 	sr := &ServiceReconciler{
-		Client:                 mgr.GetClient(),
-		tsClient:               tsClient,
-		defaultTags:            strings.Split(tags, ","),
-		operatorNamespace:      tsNamespace,
-		proxyImage:             image,
-		proxyPriorityClassName: priorityClassName,
-		logger:                 zlog.Named("service-reconciler"),
+		Client:            mgr.GetClient(),
+		tsClient:          tsClient,
+		defaultTags:       strings.Split(tags, ","),
+		operatorNamespace: tsNamespace,
+		proxyImage:        image,
+		logger:            zlog.Named("service-reconciler"),
 	}

-	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(_ context.Context, o client.Object) []reconcile.Request {
+	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(o client.Object) []reconcile.Request {
 		ls := o.GetLabels()
 		if ls[LabelManaged] != "true" {
 			return nil
@ -229,35 +214,14 @@ waitOnline:
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&corev1.Service{}).
-		Watches(&appsv1.StatefulSet{}, reconcileFilter).
-		Watches(&corev1.Secret{}, reconcileFilter).
+		Watches(&source.Kind{Type: &appsv1.StatefulSet{}}, reconcileFilter).
+		Watches(&source.Kind{Type: &corev1.Secret{}}, reconcileFilter).
 		Complete(sr)
 	if err != nil {
 		startlog.Fatalf("could not create controller: %v", err)
 	}

-	startlog.Infof("Startup complete, operator running, version: %s", version.Long())
-	if shouldRunAuthProxy {
-		cfg, err := restConfig.TransportConfig()
-		if err != nil {
-			startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
-		}
-
-		// Kubernetes uses SPDY for exec and port-forward, however SPDY is
-		// incompatible with HTTP/2; so disable HTTP/2 in the proxy.
-		tr := http.DefaultTransport.(*http.Transport).Clone()
-		tr.TLSClientConfig, err = transport.TLSConfigFor(cfg)
-		if err != nil {
-			startlog.Fatalf("could not get transport.TLSConfigFor(): %v", err)
-		}
-		tr.TLSNextProto = make(map[string]func(authority string, c *tls.Conn) http.RoundTripper)
-
-		rt, err := transport.HTTPWrappersForConfig(cfg, tr)
-		if err != nil {
-			startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
-		}
-		go runAuthProxy(s, rt, zlog.Named("auth-proxy").Infof)
-	}
+	startlog.Infof("Startup complete, operator running")
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
 		startlog.Fatalf("could not start manager: %v", err)
 	}
@ -279,12 +243,11 @@ const (
 // ServiceReconciler is a simple ControllerManagedBy example implementation.
 type ServiceReconciler struct {
 	client.Client
-	tsClient               tsClient
-	defaultTags            []string
-	operatorNamespace      string
-	proxyImage             string
-	proxyPriorityClassName string
-	logger                 *zap.SugaredLogger
+	tsClient          tsClient
+	defaultTags       []string
+	operatorNamespace string
+	proxyImage        string
+	logger            *zap.SugaredLogger
 }

 type tsClient interface {
@ -568,9 +531,6 @@ func (a *ServiceReconciler) getDeviceInfo(ctx context.Context, svc *corev1.Servi
 	if err != nil {
 		return "", "", err
 	}
-	if sec == nil {
-		return "", "", nil
-	}
 	id = string(sec.Data["device_id"])
 	if id == "" {
 		return "", "", nil
@ -594,7 +554,6 @@ func (a *ServiceReconciler) newAuthKey(ctx context.Context, tags []string) (stri
 			},
 		},
 	}
-
 	key, _, err := a.tsClient.CreateKey(ctx, caps)
 	if err != nil {
 		return "", err
@ -639,7 +598,6 @@ func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.Sugare
 	ss.Spec.Template.ObjectMeta.Labels = map[string]string{
 		"app": string(parentSvc.UID),
 	}
-	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
 	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
 }
@ -724,15 +682,6 @@ func getSingleObject[T any, O ptrObject[T]](ctx context.Context, c client.Client
 	return ret, nil
 }

-func defaultBool(envName string, defVal bool) bool {
-	vs := os.Getenv(envName)
-	if vs == "" {
-		return defVal
-	}
-	v, _ := opt.Bool(vs).Get()
-	return v
-}
-
 func defaultEnv(envName, defVal string) string {
 	v := os.Getenv(envName)
 	if v == "" {
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@ -14,6 +14,7 @@ import (
 	"go.uber.org/zap"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@ -64,7 +65,7 @@ func TestLoadBalancerClass(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@ -110,8 +111,6 @@ func TestLoadBalancerClass(t *testing.T) {
 	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
 		s.Spec.Type = corev1.ServiceTypeClusterIP
 		s.Spec.LoadBalancerClass = nil
-	})
-	mustUpdateStatus(t, fc, "default", "test", func(s *corev1.Service) {
 		// Fake client doesn't automatically delete the LoadBalancer status when
 		// changing away from the LoadBalancer type, we have to do
 		// controller-manager's work by hand.
@ -187,7 +186,7 @@ func TestAnnotations(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@ -284,7 +283,7 @@ func TestAnnotationIntoLB(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, since it would have normally happened at
@ -328,7 +327,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
 	// ... but the service should have a LoadBalancer status.

 	want = &corev1.Service{
@ -400,7 +399,7 @@ func TestLBIntoAnnotation(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@ -449,8 +448,6 @@ func TestLBIntoAnnotation(t *testing.T) {
 		}
 		s.Spec.Type = corev1.ServiceTypeClusterIP
 		s.Spec.LoadBalancerClass = nil
-	})
-	mustUpdateStatus(t, fc, "default", "test", func(s *corev1.Service) {
 		// Fake client doesn't automatically delete the LoadBalancer status when
 		// changing away from the LoadBalancer type, we have to do
 		// controller-manager's work by hand.
@ -459,7 +456,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	want = &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@ -526,7 +523,7 @@ func TestCustomHostname(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla"))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@ -585,51 +582,6 @@ func TestCustomHostname(t *testing.T) {
 	expectEqual(t, fc, want)
 }

-func TestCustomPriorityClassName(t *testing.T) {
-	fc := fake.NewFakeClient()
-	ft := &fakeTSClient{}
-	zl, err := zap.NewDevelopment()
-	if err != nil {
-		t.Fatal(err)
-	}
-	sr := &ServiceReconciler{
-		Client:                 fc,
-		tsClient:               ft,
-		defaultTags:            []string{"tag:k8s"},
-		operatorNamespace:      "operator-ns",
-		proxyImage:             "tailscale/tailscale",
-		proxyPriorityClassName: "tailscale-critical",
-		logger:                 zl.Sugar(),
-	}
-
-	// Create a service that we should manage, and check that the initial round
-	// of objects looks right.
-	mustCreate(t, fc, &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-			// The apiserver is supposed to set the UID, but the fake client
-			// doesn't. So, set it explicitly because other code later depends
-			// on it being set.
-			UID: types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/expose":   "true",
-				"tailscale.com/hostname": "custom-priority-class-name",
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "10.20.30.40",
-			Type:      corev1.ServiceTypeClusterIP,
-		},
-	})
-
-	expectReconciled(t, sr, "default", "test")
-
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "custom-priority-class-name", "tailscale-critical"))
-}
-
 func expectedSecret(name string) *corev1.Secret {
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
@ -678,7 +630,7 @@ func expectedHeadlessService(name string) *corev1.Service {
 	}
 }

-func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv1.StatefulSet {
+func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
 	return &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "StatefulSet",
@ -707,7 +659,6 @@ func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: "proxies",
-					PriorityClassName:  priorityClassName,
 					InitContainers: []corev1.Container{
 						{
 							Name:    "sysctler",
@ -719,11 +670,11 @@ func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv
 							},
 						},
 					},
-					Containers: []corev1.Container{
+					Containers: []v1.Container{
 						{
 							Name:  "tailscale",
 							Image: "tailscale/tailscale",
-							Env: []corev1.EnvVar{
+							Env: []v1.EnvVar{
 								{Name: "TS_USERSPACE", Value: "false"},
 								{Name: "TS_AUTH_ONCE", Value: "true"},
 								{Name: "TS_DEST_IP", Value: "10.20.30.40"},
@ -781,21 +732,6 @@ func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, n
 	}
 }

-func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); err != nil {
-		t.Fatalf("getting %q: %v", name, err)
-	}
-	update(obj)
-	if err := client.Status().Update(context.Background(), obj); err != nil {
-		t.Fatalf("updating %q: %v", name, err)
-	}
-}
-
 func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
 	t.Helper()
 	got := O(new(T))
@ -879,6 +815,7 @@ func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabili
 	k := &tailscale.Key{
 		ID:           "key",
 		Created:      time.Now(),
+		Expires:      time.Now().Add(24 * time.Hour),
 		Capabilities: caps,
 	}
 	return "secret-authkey", k, nil
--- a/cmd/k8s-operator/proxy.go
+++ b/cmd/k8s-operator/proxy.go
@ -1,120 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"context"
-	"crypto/tls"
-	"fmt"
-	"log"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"os"
-	"strings"
-
-	"tailscale.com/client/tailscale"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/tsnet"
-	"tailscale.com/types/logger"
-)
-
-type whoIsKey struct{}
-
-// authProxy is an http.Handler that authenticates requests using the Tailscale
-// LocalAPI and then proxies them to the Kubernetes API.
-type authProxy struct {
-	logf logger.Logf
-	lc   *tailscale.LocalClient
-	rp   *httputil.ReverseProxy
-}
-
-func (h *authProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	who, err := h.lc.WhoIs(r.Context(), r.RemoteAddr)
-	if err != nil {
-		h.logf("failed to authenticate caller: %v", err)
-		http.Error(w, "failed to authenticate caller", http.StatusInternalServerError)
-		return
-	}
-	r = r.WithContext(context.WithValue(r.Context(), whoIsKey{}, who))
-	h.rp.ServeHTTP(w, r)
-}
-
-// runAuthProxy runs an HTTP server that authenticates requests using the
-// Tailscale LocalAPI and then proxies them to the Kubernetes API.
-// It listens on :443 and uses the Tailscale HTTPS certificate.
-// s will be started if it is not already running.
-// rt is used to proxy requests to the Kubernetes API.
-//
-// It never returns.
-func runAuthProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf) {
-	ln, err := s.Listen("tcp", ":443")
-	if err != nil {
-		log.Fatalf("could not listen on :443: %v", err)
-	}
-	u, err := url.Parse(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
-	if err != nil {
-		log.Fatalf("runAuthProxy: failed to parse URL %v", err)
-	}
-
-	lc, err := s.LocalClient()
-	if err != nil {
-		log.Fatalf("could not get local client: %v", err)
-	}
-	ap := &authProxy{
-		logf: logf,
-		lc:   lc,
-		rp: &httputil.ReverseProxy{
-			Director: func(r *http.Request) {
-				// We want to proxy to the Kubernetes API, but we want to use
-				// the caller's identity to do so. We do this by impersonating
-				// the caller using the Kubernetes User Impersonation feature:
-				// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
-
-				// Out of paranoia, remove all authentication headers that might
-				// have been set by the client.
-				r.Header.Del("Authorization")
-				r.Header.Del("Impersonate-Group")
-				r.Header.Del("Impersonate-User")
-				r.Header.Del("Impersonate-Uid")
-				for k := range r.Header {
-					if strings.HasPrefix(k, "Impersonate-Extra-") {
-						r.Header.Del(k)
-					}
-				}
-
-				// Now add the impersonation headers that we want.
-				who := r.Context().Value(whoIsKey{}).(*apitype.WhoIsResponse)
-				if who.Node.IsTagged() {
-					// Use the nodes FQDN as the username, and the nodes tags as the groups.
-					// "Impersonate-Group" requires "Impersonate-User" to be set.
-					r.Header.Set("Impersonate-User", strings.TrimSuffix(who.Node.Name, "."))
-					for _, tag := range who.Node.Tags {
-						r.Header.Add("Impersonate-Group", tag)
-					}
-				} else {
-					r.Header.Set("Impersonate-User", who.UserProfile.LoginName)
-				}
-
-				// Replace the URL with the Kubernetes APIServer.
-				r.URL.Scheme = u.Scheme
-				r.URL.Host = u.Host
-			},
-			Transport: rt,
-		},
-	}
-	hs := &http.Server{
-		// Kubernetes uses SPDY for exec and port-forward, however SPDY is
-		// incompatible with HTTP/2; so disable HTTP/2 in the proxy.
-		TLSConfig: &tls.Config{
-			GetCertificate: lc.GetCertificate,
-			NextProtos:     []string{"http/1.1"},
-		},
-		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
-		Handler:      ap,
-	}
-	if err := hs.ServeTLS(ln, "", ""); err != nil {
-		log.Fatalf("runAuthProxy: failed to serve %v", err)
-	}
-}
--- a/cmd/mkmanifest/main.go
+++ b/cmd/mkmanifest/main.go
@ -19,7 +19,7 @@ func main() {

 	arch := winres.Arch(os.Args[1])
 	switch arch {
-	case winres.ArchAMD64, winres.ArchARM64, winres.ArchI386:
+	case winres.ArchAMD64, winres.ArchARM64, winres.ArchI386, winres.ArchARM:
 	default:
 		log.Fatalf("unsupported arch: %s", arch)
 	}
--- a/cmd/mkversion/mkversion.go
+++ b/cmd/mkversion/mkversion.go
@ -1,44 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// mkversion gets version info from git and outputs a bunch of shell variables
-// that get used elsewhere in the build system to embed version numbers into
-// binaries.
-package main
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"io"
-	"os"
-	"time"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/version/mkversion"
-)
-
-func main() {
-	prefix := ""
-	if len(os.Args) > 1 {
-		if os.Args[1] == "--export" {
-			prefix = "export "
-		} else {
-			fmt.Println("usage: mkversion [--export|-h|--help]")
-			os.Exit(1)
-		}
-	}
-
-	var b bytes.Buffer
-	io.WriteString(&b, mkversion.Info().String())
-	// Copyright and the client capability are not part of the version
-	// information, but similarly used in Xcode builds to embed in the metadata,
-	// thus generate them now.
-	copyright := fmt.Sprintf("Copyright © %d Tailscale Inc. All Rights Reserved.", time.Now().Year())
-	fmt.Fprintf(&b, "VERSION_COPYRIGHT=%q\n", copyright)
-	fmt.Fprintf(&b, "VERSION_CAPABILITY=%d\n", tailcfg.CurrentCapabilityVersion)
-	s := bufio.NewScanner(&b)
-	for s.Scan() {
-		fmt.Println(prefix + s.Text())
-	}
-}
--- a/cmd/netlogfmt/main.go
+++ b/cmd/netlogfmt/main.go
@ -43,7 +43,7 @@ import (
 	jsonv2 "github.com/go-json-experiment/json"
 	"golang.org/x/exp/maps"
 	"golang.org/x/exp/slices"
-	"tailscale.com/types/logid"
+	"tailscale.com/logtail"
 	"tailscale.com/types/netlogtype"
 	"tailscale.com/util/must"
 )
@ -136,8 +136,8 @@ func processObject(dec *jsonv2.Decoder) {

 type message struct {
 	Logtail struct {
-		ID     logid.PublicID `json:"id"`
-		Logged time.Time      `json:"server_time"`
+		ID     logtail.PublicID `json:"id"`
+		Logged time.Time        `json:"server_time"`
 	} `json:"logtail"`
 	Logged time.Time `json:"logged"`
 	netlogtype.Message
--- a/cmd/nginx-auth/mkdeb.sh
+++ b/cmd/nginx-auth/mkdeb.sh
@ -2,31 +2,30 @@

 set -e

-VERSION=0.1.3
-for ARCH in amd64 arm64; do
-    CGO_ENABLED=0 GOARCH=${ARCH} GOOS=linux go build -o tailscale.nginx-auth .
+CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o tailscale.nginx-auth .

-    mkpkg \
-        --out=tailscale-nginx-auth-${VERSION}-${ARCH}.deb \
-        --name=tailscale-nginx-auth \
-        --version=${VERSION} \
-        --type=deb \
-        --arch=${ARCH} \
-        --postinst=deb/postinst.sh \
-        --postrm=deb/postrm.sh \
-        --prerm=deb/prerm.sh \
-        --description="Tailscale NGINX authentication protocol handler" \
-        --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
+VERSION=0.1.2

-    mkpkg \
-        --out=tailscale-nginx-auth-${VERSION}-${ARCH}.rpm \
-        --name=tailscale-nginx-auth \
-        --version=${VERSION} \
-        --type=rpm \
-        --arch=${ARCH} \
-        --postinst=rpm/postinst.sh \
-        --postrm=rpm/postrm.sh \
-        --prerm=rpm/prerm.sh \
-        --description="Tailscale NGINX authentication protocol handler" \
-        --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
-done
+mkpkg \
+    --out=tailscale-nginx-auth-${VERSION}-amd64.deb \
+    --name=tailscale-nginx-auth \
+    --version=${VERSION} \
+    --type=deb \
+    --arch=amd64 \
+    --postinst=deb/postinst.sh \
+    --postrm=deb/postrm.sh \
+    --prerm=deb/prerm.sh \
+    --description="Tailscale NGINX authentication protocol handler" \
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
+
+mkpkg \
+    --out=tailscale-nginx-auth-${VERSION}-amd64.rpm \
+    --name=tailscale-nginx-auth \
+    --version=${VERSION} \
+    --type=rpm \
+    --arch=amd64 \
+    --postinst=rpm/postinst.sh \
+    --postrm=rpm/postrm.sh \
+    --prerm=rpm/prerm.sh \
+    --description="Tailscale NGINX authentication protocol handler" \
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@ -56,7 +56,7 @@ func main() {
 			return
 		}

-		if info.Node.IsTagged() {
+		if len(info.Node.Tags) != 0 {
 			w.WriteHeader(http.StatusForbidden)
 			log.Printf("node %s is tagged", info.Node.Hostinfo.Hostname())
 			return
--- a/cmd/pgproxy/pgproxy.go
+++ b/cmd/pgproxy/pgproxy.go
@ -272,7 +272,7 @@ func (p *proxy) serve(sessionID int64, c net.Conn) error {
 	}
 	if buf[0] != 'S' {
 		p.errors.Add("upstream-bad-protocol", 1)
-		return fmt.Errorf("upstream didn't acknowledge start-ssl, said %q", buf[0])
+		return fmt.Errorf("upstream didn't acknowldge start-ssl, said %q", buf[0])
 	}
 	tlsConf := &tls.Config{
 		ServerName: p.upstreamHost,
--- a/cmd/printdep/printdep.go
+++ b/cmd/printdep/printdep.go
@ -31,11 +31,20 @@ func main() {
 		fmt.Println(strings.TrimSpace(ts.GoToolchainRev))
 	}
 	if *goToolchainURL {
+		var suffix string
+		switch runtime.GOARCH {
+		case "amd64":
+			// None
+		case "arm64":
+			suffix = "-" + runtime.GOARCH
+		default:
+			log.Fatalf("unsupported GOARCH %q", runtime.GOARCH)
+		}
 		switch runtime.GOOS {
 		case "linux", "darwin":
 		default:
 			log.Fatalf("unsupported GOOS %q", runtime.GOOS)
 		}
-		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s-%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, runtime.GOARCH)
+		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, suffix)
 	}
 }
--- a/cmd/proxy-to-grafana/proxy-to-grafana.go
+++ b/cmd/proxy-to-grafana/proxy-to-grafana.go
@ -147,7 +147,7 @@ func getTailscaleUser(ctx context.Context, localClient *tailscale.LocalClient, i
 	if err != nil {
 		return nil, fmt.Errorf("failed to identify remote host: %w", err)
 	}
-	if whois.Node.IsTagged() {
+	if len(whois.Node.Tags) != 0 {
 		return nil, fmt.Errorf("tagged nodes are not users")
 	}
 	if whois.UserProfile == nil || whois.UserProfile.LoginName == "" {
--- a/cmd/sniproxy/sniproxy.go
+++ b/cmd/sniproxy/sniproxy.go
@ -1,224 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// The sniproxy is an outbound SNI proxy. It receives TLS connections over
-// Tailscale on one or more TCP ports and sends them out to the same SNI
-// hostname & port on the internet. It only does TCP.
-package main
-
-import (
-	"context"
-	"flag"
-	"log"
-	"net"
-	"net/http"
-	"strings"
-	"time"
-
-	"golang.org/x/net/dns/dnsmessage"
-	"inet.af/tcpproxy"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/hostinfo"
-	"tailscale.com/net/netutil"
-	"tailscale.com/tsnet"
-	"tailscale.com/types/nettype"
-)
-
-var (
-	ports        = flag.String("ports", "443", "comma-separated list of ports to proxy")
-	wgPort       = flag.Int("wg-listen-port", 0, "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	promoteHTTPS = flag.Bool("promote-https", true, "promote HTTP to HTTPS")
-)
-
-var tsMBox = dnsmessage.MustNewName("support.tailscale.com.")
-
-func main() {
-	flag.Parse()
-	if *ports == "" {
-		log.Fatal("no ports")
-	}
-
-	hostinfo.SetApp("sniproxy")
-
-	var s server
-	s.ts.Port = uint16(*wgPort)
-	defer s.ts.Close()
-
-	lc, err := s.ts.LocalClient()
-	if err != nil {
-		log.Fatal(err)
-	}
-	s.lc = lc
-
-	for _, portStr := range strings.Split(*ports, ",") {
-		ln, err := s.ts.Listen("tcp", ":"+portStr)
-		if err != nil {
-			log.Fatal(err)
-		}
-		log.Printf("Serving on port %v ...", portStr)
-		go s.serve(ln)
-	}
-
-	ln, err := s.ts.Listen("udp", ":53")
-	if err != nil {
-		log.Fatal(err)
-	}
-	go s.serveDNS(ln)
-
-	if *promoteHTTPS {
-		ln, err := s.ts.Listen("tcp", ":80")
-		if err != nil {
-			log.Fatal(err)
-		}
-		log.Printf("Promoting HTTP to HTTPS ...")
-		go s.promoteHTTPS(ln)
-	}
-
-	select {}
-}
-
-type server struct {
-	ts tsnet.Server
-	lc *tailscale.LocalClient
-}
-
-func (s *server) serve(ln net.Listener) {
-	for {
-		c, err := ln.Accept()
-		if err != nil {
-			log.Fatal(err)
-		}
-		go s.serveConn(c)
-	}
-}
-
-func (s *server) serveDNS(ln net.Listener) {
-	for {
-		c, err := ln.Accept()
-		if err != nil {
-			log.Fatal(err)
-		}
-		go s.serveDNSConn(c.(nettype.ConnPacketConn))
-	}
-}
-
-func (s *server) serveDNSConn(c nettype.ConnPacketConn) {
-	defer c.Close()
-	c.SetReadDeadline(time.Now().Add(5 * time.Second))
-	buf := make([]byte, 1500)
-	n, err := c.Read(buf)
-	if err != nil {
-		log.Printf("c.Read failed: %v\n ", err)
-		return
-	}
-
-	var msg dnsmessage.Message
-	err = msg.Unpack(buf[:n])
-	if err != nil {
-		log.Printf("dnsmessage unpack failed: %v\n ", err)
-		return
-	}
-
-	buf, err = s.dnsResponse(&msg)
-	if err != nil {
-		log.Printf("s.dnsResponse failed: %v\n", err)
-		return
-	}
-
-	_, err = c.Write(buf)
-	if err != nil {
-		log.Printf("c.Write failed: %v\n", err)
-		return
-	}
-}
-
-func (s *server) serveConn(c net.Conn) {
-	addrPortStr := c.LocalAddr().String()
-	_, port, err := net.SplitHostPort(addrPortStr)
-	if err != nil {
-		log.Printf("bogus addrPort %q", addrPortStr)
-		c.Close()
-		return
-	}
-
-	var dialer net.Dialer
-	dialer.Timeout = 5 * time.Second
-
-	var p tcpproxy.Proxy
-	p.ListenFunc = func(net, laddr string) (net.Listener, error) {
-		return netutil.NewOneConnListener(c, nil), nil
-	}
-	p.AddSNIRouteFunc(addrPortStr, func(ctx context.Context, sniName string) (t tcpproxy.Target, ok bool) {
-		return &tcpproxy.DialProxy{
-			Addr:        net.JoinHostPort(sniName, port),
-			DialContext: dialer.DialContext,
-		}, true
-	})
-	p.Start()
-}
-
-func (s *server) dnsResponse(req *dnsmessage.Message) (buf []byte, err error) {
-	resp := dnsmessage.NewBuilder(buf,
-		dnsmessage.Header{
-			ID:            req.Header.ID,
-			Response:      true,
-			Authoritative: true,
-		})
-	resp.EnableCompression()
-
-	if len(req.Questions) == 0 {
-		buf, _ = resp.Finish()
-		return
-	}
-
-	q := req.Questions[0]
-	err = resp.StartQuestions()
-	if err != nil {
-		return
-	}
-	resp.Question(q)
-
-	ip4, ip6 := s.ts.TailscaleIPs()
-	err = resp.StartAnswers()
-	if err != nil {
-		return
-	}
-
-	switch q.Type {
-	case dnsmessage.TypeAAAA:
-		err = resp.AAAAResource(
-			dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
-			dnsmessage.AAAAResource{AAAA: ip6.As16()},
-		)
-
-	case dnsmessage.TypeA:
-		err = resp.AResource(
-			dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
-			dnsmessage.AResource{A: ip4.As4()},
-		)
-	case dnsmessage.TypeSOA:
-		err = resp.SOAResource(
-			dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
-			dnsmessage.SOAResource{NS: q.Name, MBox: tsMBox, Serial: 2023030600,
-				Refresh: 120, Retry: 120, Expire: 120, MinTTL: 60},
-		)
-	case dnsmessage.TypeNS:
-		err = resp.NSResource(
-			dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
-			dnsmessage.NSResource{NS: tsMBox},
-		)
-	}
-
-	if err != nil {
-		return
-	}
-
-	return resp.Finish()
-}
-
-func (s *server) promoteHTTPS(ln net.Listener) {
-	err := http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusFound)
-	}))
-	log.Fatalf("promoteHTTPS http.Serve: %v", err)
-}
--- a/cmd/sync-containers/main.go
+++ b/cmd/sync-containers/main.go
@ -85,15 +85,6 @@ func main() {
 		log.Printf("%d tags to remove: %s\n", len(remove), strings.Join(remove, ", "))
 		log.Printf("Not removing any tags for safety.\n")
 	}
-
-	var wellKnown = [...]string{"latest", "stable"}
-	for _, tag := range wellKnown {
-		if needsUpdate(*src, *dst, tag) {
-			if err := copyTag(*src, *dst, tag, opts...); err != nil {
-				log.Printf("Updating tag %q: progress error: %v", tag, err)
-			}
-		}
-	}
 }

 func copyTag(srcStr, dstStr, tag string, opts ...remote.Option) error {
@ -187,26 +178,3 @@ func diffTags(src, dst []string) (add, remove []string) {
 	sort.Strings(remove)
 	return add, remove
 }
-
-func needsUpdate(srcStr, dstStr, tag string) bool {
-	src, err := name.ParseReference(fmt.Sprintf("%s:%s", srcStr, tag))
-	if err != nil {
-		return false
-	}
-	dst, err := name.ParseReference(fmt.Sprintf("%s:%s", dstStr, tag))
-	if err != nil {
-		return false
-	}
-
-	srcDesc, err := remote.Get(src)
-	if err != nil {
-		return false
-	}
-
-	dstDesc, err := remote.Get(dst)
-	if err != nil {
-		return true
-	}
-
-	return srcDesc.Digest != dstDesc.Digest
-}
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@ -113,15 +113,12 @@ change in the future.
 			loginCmd,
 			logoutCmd,
 			switchCmd,
-			configureCmd,
 			netcheckCmd,
 			ipCmd,
 			statusCmd,
 			pingCmd,
 			ncCmd,
 			sshCmd,
-			funnelCmd,
-			serveCmd,
 			versionCmd,
 			webCmd,
 			fileCmd,
@ -149,6 +146,8 @@ change in the future.
 	switch {
 	case slices.Contains(args, "debug"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
+	case slices.Contains(args, "serve"):
+		rootCmd.Subcommands = append(rootCmd.Subcommands, serveCmd)
 	case slices.Contains(args, "update"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, updateCmd)
 	}
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@ -22,7 +22,6 @@ import (
 	"tailscale.com/tstest"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/version/distro"
 )

@ -622,16 +621,9 @@ func TestPrefsFromUpArgs(t *testing.T) {
 		{
 			name: "error_long_hostname",
 			args: upArgsT{
-				hostname: strings.Repeat(strings.Repeat("a", 63)+".", 4),
+				hostname: strings.Repeat("a", 300),
 			},
-			wantErr: `"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" is too long to be a DNS name`,
-		},
-		{
-			name: "error_long_label",
-			args: upArgsT{
-				hostname: strings.Repeat("a", 64) + ".example.com",
-			},
-			wantErr: `"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" is not a valid DNS label`,
+			wantErr: `hostname too long: 300 bytes (max 256)`,
 		},
 		{
 			name: "error_linux_netfilter_empty",
@ -720,7 +712,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var warnBuf tstest.MemLogger
-			goos := cmpx.Or(tt.goos, "linux")
+			goos := tt.goos
+			if goos == "" {
+				goos = "linux"
+			}
 			st := tt.st
 			if st == nil {
 				st = new(ipnstate.Status)
@ -1076,42 +1071,13 @@ func TestUpdatePrefs(t *testing.T) {
 			},
 			env: upCheckEnv{backendState: "Running"},
 		},
-		{
-			name:             "force_reauth_over_ssh_no_risk",
-			flags:            []string{"--force-reauth"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			env:          upCheckEnv{backendState: "Running"},
-			wantErrSubtr: "aborted, no changes made",
-		},
-		{
-			name:             "force_reauth_over_ssh",
-			flags:            []string{"--force-reauth", "--accept-risk=lose-ssh"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: nil,
-			env:            upCheckEnv{backendState: "Running"},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.sshOverTailscale {
-				tstest.Replace(t, &getSSHClientEnvVar, func() string { return "100.100.100.100 1 1" })
-			} else if isSSHOverTailscale() {
-				// The test is being executed over a "real" tailscale SSH
-				// session, but sshOverTailscale is unset. Make the test appear
-				// as if it's not over tailscale SSH.
-				tstest.Replace(t, &getSSHClientEnvVar, func() string { return "" })
+				old := getSSHClientEnvVar
+				getSSHClientEnvVar = func() string { return "100.100.100.100 1 1" }
+				t.Cleanup(func() { getSSHClientEnvVar = old })
 			}
 			if tt.env.goos == "" {
 				tt.env.goos = "linux"
--- a/cmd/tailscale/cli/configure-synology.go
+++ b/cmd/tailscale/cli/configure-synology.go
@ -18,38 +18,26 @@ import (
 	"tailscale.com/version/distro"
 )

-// configureHostCmd is the "tailscale configure-host" command which was once
-// used to configure Synology devices, but is now a compatibility alias to
-// "tailscale configure synology".
 var configureHostCmd = &ffcli.Command{
 	Name:      "configure-host",
-	Exec:      runConfigureSynology,
-	ShortHelp: synologyConfigureCmd.ShortHelp,
-	LongHelp:  synologyConfigureCmd.LongHelp,
+	Exec:      runConfigureHost,
+	ShortHelp: "Configure Synology to enable more Tailscale features",
+	LongHelp: strings.TrimSpace(`
+The 'configure-host' command is intended to run at boot as root
+to create the /dev/net/tun device and give the tailscaled binary
+permission to use it.
+
+See: https://tailscale.com/kb/1152/synology-outbound/
+`),
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("configure-host")
 		return fs
 	})(),
 }

-var synologyConfigureCmd = &ffcli.Command{
-	Name:      "synology",
-	Exec:      runConfigureSynology,
-	ShortHelp: "Configure Synology to enable outbound connections",
-	LongHelp: strings.TrimSpace(`
-This command is intended to run at boot as root on a Synology device to
-create the /dev/net/tun device and give the tailscaled binary permission
-to use it.
+var configureHostArgs struct{}

-See: https://tailscale.com/s/synology-outbound
-`),
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("synology")
-		return fs
-	})(),
-}
-
-func runConfigureSynology(ctx context.Context, args []string) error {
+func runConfigureHost(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("unknown arguments")
 	}
--- a/cmd/tailscale/cli/configure-kube.go
+++ b/cmd/tailscale/cli/configure-kube.go
@ -1,184 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-//go:build !ts_omit_kube
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"golang.org/x/exp/slices"
-	"k8s.io/client-go/util/homedir"
-	"sigs.k8s.io/yaml"
-	"tailscale.com/version"
-)
-
-func init() {
-	configureCmd.Subcommands = append(configureCmd.Subcommands, configureKubeconfigCmd)
-}
-
-var configureKubeconfigCmd = &ffcli.Command{
-	Name:       "kubeconfig",
-	ShortHelp:  "[ALPHA] Connect to a Kubernetes cluster using a Tailscale Auth Proxy",
-	ShortUsage: "kubeconfig <hostname-or-fqdn>",
-	LongHelp: strings.TrimSpace(`
-Run this command to configure kubectl to connect to a Kubernetes cluster over Tailscale.
-
-The hostname argument should be set to the Tailscale hostname of the peer running as an auth proxy in the cluster.
-
-See: https://tailscale.com/s/k8s-auth-proxy
-`),
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("kubeconfig")
-		return fs
-	})(),
-	Exec: runConfigureKubeconfig,
-}
-
-// kubeconfigPath returns the path to the kubeconfig file for the current user.
-func kubeconfigPath() string {
-	var dir string
-	if version.IsSandboxedMacOS() {
-		// The HOME environment variable in macOS sandboxed apps is set to
-		// ~/Library/Containers/<app-id>/Data, but the kubeconfig file is
-		// located in ~/.kube/config. We rely on the "com.apple.security.temporary-exception.files.home-relative-path.read-write"
-		// entitlement to access the file.
-		containerHome := os.Getenv("HOME")
-		dir, _, _ = strings.Cut(containerHome, "/Library/Containers/")
-	} else {
-		dir = homedir.HomeDir()
-	}
-	return filepath.Join(dir, ".kube", "config")
-}
-
-func runConfigureKubeconfig(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return errors.New("unknown arguments")
-	}
-	hostOrFQDN := args[0]
-
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return err
-	}
-	if st.BackendState != "Running" {
-		return errors.New("Tailscale is not running")
-	}
-	targetFQDN, ok := nodeDNSNameFromArg(st, hostOrFQDN)
-	if !ok {
-		return fmt.Errorf("no peer found with hostname %q", hostOrFQDN)
-	}
-	targetFQDN = strings.TrimSuffix(targetFQDN, ".")
-	if err := setKubeconfigForPeer(targetFQDN, kubeconfigPath()); err != nil {
-		return err
-	}
-	printf("kubeconfig configured for %q\n", hostOrFQDN)
-	return nil
-}
-
-// appendOrSetNamed finds a map with a "name" key matching name in dst, and
-// replaces it with val. If no such map is found, val is appended to dst.
-func appendOrSetNamed(dst []any, name string, val map[string]any) []any {
-	if got := slices.IndexFunc(dst, func(m any) bool {
-		if m, ok := m.(map[string]any); ok {
-			return m["name"] == name
-		}
-		return false
-	}); got != -1 {
-		dst[got] = val
-	} else {
-		dst = append(dst, val)
-	}
-	return dst
-}
-
-var errInvalidKubeconfig = errors.New("invalid kubeconfig")
-
-func updateKubeconfig(cfgYaml []byte, fqdn string) ([]byte, error) {
-	var cfg map[string]any
-	if len(cfgYaml) > 0 {
-		if err := yaml.Unmarshal(cfgYaml, &cfg); err != nil {
-			return nil, errInvalidKubeconfig
-		}
-	}
-	if cfg == nil {
-		cfg = map[string]any{
-			"apiVersion": "v1",
-			"kind":       "Config",
-		}
-	} else if cfg["apiVersion"] != "v1" || cfg["kind"] != "Config" {
-		return nil, errInvalidKubeconfig
-	}
-
-	var clusters []any
-	if cm, ok := cfg["clusters"]; ok {
-		clusters = cm.([]any)
-	}
-	cfg["clusters"] = appendOrSetNamed(clusters, fqdn, map[string]any{
-		"name": fqdn,
-		"cluster": map[string]string{
-			"server": "https://" + fqdn,
-		},
-	})
-
-	var users []any
-	if um, ok := cfg["users"]; ok {
-		users = um.([]any)
-	}
-	cfg["users"] = appendOrSetNamed(users, "tailscale-auth", map[string]any{
-		// We just need one of these, and can reuse it for all clusters.
-		"name": "tailscale-auth",
-		"user": map[string]string{
-			// We do not use the token, but if we do not set anything here
-			// kubectl will prompt for a username and password.
-			"token": "unused",
-		},
-	})
-
-	var contexts []any
-	if cm, ok := cfg["contexts"]; ok {
-		contexts = cm.([]any)
-	}
-	cfg["contexts"] = appendOrSetNamed(contexts, fqdn, map[string]any{
-		"name": fqdn,
-		"context": map[string]string{
-			"cluster": fqdn,
-			"user":    "tailscale-auth",
-		},
-	})
-	cfg["current-context"] = fqdn
-	return yaml.Marshal(cfg)
-}
-
-func setKubeconfigForPeer(fqdn, filePath string) error {
-	dir := filepath.Dir(filePath)
-	if _, err := os.Stat(dir); err != nil {
-		if !os.IsNotExist(err) {
-			return err
-		}
-		if err := os.Mkdir(dir, 0755); err != nil {
-			if version.IsSandboxedMacOS() && errors.Is(err, os.ErrPermission) {
-				// macOS sandboxing prevents us from creating the .kube directory
-				// in the home directory.
-				return errors.New("unable to create .kube directory in home directory, please create it manually (e.g. mkdir ~/.kube")
-			}
-			return err
-		}
-	}
-	b, err := os.ReadFile(filePath)
-	if err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("reading kubeconfig: %w", err)
-	}
-	b, err = updateKubeconfig(b, fqdn)
-	if err != nil {
-		return err
-	}
-	return os.WriteFile(filePath, b, 0600)
-}
--- a/cmd/tailscale/cli/configure-kube_test.go
+++ b/cmd/tailscale/cli/configure-kube_test.go
@ -1,196 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-//go:build !ts_omit_kube
-
-package cli
-
-import (
-	"bytes"
-	"strings"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-)
-
-func TestKubeconfig(t *testing.T) {
-	const fqdn = "foo.tail-scale.ts.net"
-	tests := []struct {
-		name    string
-		in      string
-		want    string
-		wantErr error
-	}{
-		{
-			name: "invalid-yaml",
-			in: `apiVersion: v1
-kind: ,asdf`,
-			wantErr: errInvalidKubeconfig,
-		},
-		{
-			name: "invalid-cfg",
-			in: `apiVersion: v1
-kind: Pod`,
-			wantErr: errInvalidKubeconfig,
-		},
-		{
-			name: "empty",
-			in:   "",
-			want: `apiVersion: v1
-clusters:
- cluster:
-    server: https://foo.tail-scale.ts.net
-  name: foo.tail-scale.ts.net
-contexts:
- context:
-    cluster: foo.tail-scale.ts.net
-    user: tailscale-auth
-  name: foo.tail-scale.ts.net
-current-context: foo.tail-scale.ts.net
-kind: Config
-users:
- name: tailscale-auth
-  user:
-    token: unused`,
-		},
-		{
-			name: "already-configured",
-			in: `apiVersion: v1
-clusters:
- cluster:
-    server: https://foo.tail-scale.ts.net
-  name: foo.tail-scale.ts.net
-contexts:
- context:
-    cluster: foo.tail-scale.ts.net
-    user: tailscale-auth
-  name: foo.tail-scale.ts.net
-kind: Config
-current-context: foo.tail-scale.ts.net
-users:
- name: tailscale-auth
-  user:
-    token: unused`,
-			want: `apiVersion: v1
-clusters:
- cluster:
-    server: https://foo.tail-scale.ts.net
-  name: foo.tail-scale.ts.net
-contexts:
- context:
-    cluster: foo.tail-scale.ts.net
-    user: tailscale-auth
-  name: foo.tail-scale.ts.net
-current-context: foo.tail-scale.ts.net
-kind: Config
-users:
- name: tailscale-auth
-  user:
-    token: unused`,
-		},
-		{
-			name: "other-cluster",
-			in: `apiVersion: v1
-clusters:
- cluster:
-    server: https://192.168.1.1:8443
-  name: some-cluster
-contexts:
- context:
-    cluster: some-cluster
-    user: some-auth
-  name: some-cluster
-kind: Config
-current-context: some-cluster
-users:
- name: some-auth
-  user:
-    token: asdfasdf`,
-			want: `apiVersion: v1
-clusters:
- cluster:
-    server: https://192.168.1.1:8443
-  name: some-cluster
- cluster:
-    server: https://foo.tail-scale.ts.net
-  name: foo.tail-scale.ts.net
-contexts:
- context:
-    cluster: some-cluster
-    user: some-auth
-  name: some-cluster
- context:
-    cluster: foo.tail-scale.ts.net
-    user: tailscale-auth
-  name: foo.tail-scale.ts.net
-current-context: foo.tail-scale.ts.net
-kind: Config
-users:
- name: some-auth
-  user:
-    token: asdfasdf
- name: tailscale-auth
-  user:
-    token: unused`,
-		},
-		{
-			name: "already-using-tailscale",
-			in: `apiVersion: v1
-clusters:
- cluster:
-    server: https://bar.tail-scale.ts.net
-  name: bar.tail-scale.ts.net
-contexts:
- context:
-    cluster: bar.tail-scale.ts.net
-    user: tailscale-auth
-  name: bar.tail-scale.ts.net
-kind: Config
-current-context: bar.tail-scale.ts.net
-users:
- name: tailscale-auth
-  user:
-    token: unused`,
-			want: `apiVersion: v1
-clusters:
- cluster:
-    server: https://bar.tail-scale.ts.net
-  name: bar.tail-scale.ts.net
- cluster:
-    server: https://foo.tail-scale.ts.net
-  name: foo.tail-scale.ts.net
-contexts:
- context:
-    cluster: bar.tail-scale.ts.net
-    user: tailscale-auth
-  name: bar.tail-scale.ts.net
- context:
-    cluster: foo.tail-scale.ts.net
-    user: tailscale-auth
-  name: foo.tail-scale.ts.net
-current-context: foo.tail-scale.ts.net
-kind: Config
-users:
- name: tailscale-auth
-  user:
-    token: unused`,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := updateKubeconfig([]byte(tt.in), fqdn)
-			if err != nil {
-				if err != tt.wantErr {
-					t.Fatalf("updateKubeconfig() error = %v, wantErr %v", err, tt.wantErr)
-				}
-				return
-			} else if tt.wantErr != nil {
-				t.Fatalf("updateKubeconfig() error = %v, wantErr %v", err, tt.wantErr)
-			}
-			got = bytes.TrimSpace(got)
-			want := []byte(strings.TrimSpace(tt.want))
-			if d := cmp.Diff(want, got); d != "" {
-				t.Errorf("Kubeconfig() mismatch (-want +got):\n%s", d)
-			}
-		})
-	}
-}
--- a/cmd/tailscale/cli/configure.go
+++ b/cmd/tailscale/cli/configure.go
@ -1,38 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"context"
-	"flag"
-	"runtime"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/version/distro"
-)
-
-var configureCmd = &ffcli.Command{
-	Name:      "configure",
-	ShortHelp: "[ALPHA] Configure the host to enable more Tailscale features",
-	LongHelp: strings.TrimSpace(`
-The 'configure' set of commands are intended to provide a way to enable different
-services on the host to use Tailscale in more ways.
-`),
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("configure")
-		return fs
-	})(),
-	Subcommands: configureSubcommands(),
-	Exec: func(ctx context.Context, args []string) error {
-		return flag.ErrHelp
-	},
-}
-
-func configureSubcommands() (out []*ffcli.Command) {
-	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
-		out = append(out, synologyConfigureCmd)
-	}
-	return out
-}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@ -201,23 +201,6 @@ var debugCmd = &ffcli.Command{
 				return fs
 			})(),
 		},
-		{
-			Name:      "portmap",
-			Exec:      debugPortmap,
-			ShortHelp: "run portmap debugging debugging",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("portmap")
-				fs.DurationVar(&debugPortmapArgs.duration, "duration", 5*time.Second, "timeout for port mapping")
-				fs.StringVar(&debugPortmapArgs.ty, "type", "", `portmap debug type (one of "", "pmp", "pcp", or "upnp")`)
-				fs.StringVar(&debugPortmapArgs.gwSelf, "gw-self", "", `override gateway and self IP (format: "gatewayIP/selfIP")`)
-				return fs
-			})(),
-		},
-		{
-			Name:      "peer-endpoint-changes",
-			Exec:      runPeerEndpointChanges,
-			ShortHelp: "prints debug information about a peer's endpoint changes",
-		},
 	},
 }

@ -806,82 +789,3 @@ func runCapture(ctx context.Context, args []string) error {
 	_, err = io.Copy(f, stream)
 	return err
 }
-
-var debugPortmapArgs struct {
-	duration time.Duration
-	gwSelf   string
-	ty       string
-}
-
-func debugPortmap(ctx context.Context, args []string) error {
-	rc, err := localClient.DebugPortmap(ctx,
-		debugPortmapArgs.duration,
-		debugPortmapArgs.ty,
-		debugPortmapArgs.gwSelf,
-	)
-	if err != nil {
-		return err
-	}
-	defer rc.Close()
-
-	_, err = io.Copy(os.Stdout, rc)
-	return err
-}
-
-func runPeerEndpointChanges(ctx context.Context, args []string) error {
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	description, ok := isRunningOrStarting(st)
-	if !ok {
-		printf("%s\n", description)
-		os.Exit(1)
-	}
-
-	if len(args) != 1 || args[0] == "" {
-		return errors.New("usage: peer-status <hostname-or-IP>")
-	}
-	var ip string
-
-	hostOrIP := args[0]
-	ip, self, err := tailscaleIPFromArg(ctx, hostOrIP)
-	if err != nil {
-		return err
-	}
-	if self {
-		printf("%v is local Tailscale IP\n", ip)
-		return nil
-	}
-
-	if ip != hostOrIP {
-		log.Printf("lookup %q => %q", hostOrIP, ip)
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/debug-peer-endpoint-changes?ip="+ip, nil)
-	if err != nil {
-		return err
-	}
-
-	resp, err := localClient.DoLocalRequest(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-
-	var dst bytes.Buffer
-	if err := json.Indent(&dst, body, "", "  "); err != nil {
-		return fmt.Errorf("indenting returned JSON: %w", err)
-	}
-
-	if ss := dst.String(); !strings.HasSuffix(ss, "\n") {
-		dst.WriteByte('\n')
-	}
-	fmt.Printf("%s", dst.String())
-	return nil
-}
--- a/cmd/tailscale/cli/diag.go
+++ b/cmd/tailscale/cli/diag.go
@ -66,7 +66,7 @@ func isSystemdSystem() bool {
 		return false
 	}
 	switch distro.Get() {
-	case distro.QNAP, distro.Gokrazy, distro.Synology, distro.Unraid:
+	case distro.QNAP, distro.Gokrazy, distro.Synology:
 		return false
 	}
 	_, err := exec.LookPath("systemctl")
--- a/cmd/tailscale/cli/funnel.go
+++ b/cmd/tailscale/cli/funnel.go
@ -1,138 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"net"
-	"os"
-	"strconv"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/ipn"
-	"tailscale.com/util/mak"
-)
-
-var funnelCmd = newFunnelCommand(&serveEnv{lc: &localClient})
-
-// newFunnelCommand returns a new "funnel" subcommand using e as its environment.
-// The funnel subcommand is used to turn on/off the Funnel service.
-// Funnel is off by default.
-// Funnel allows you to publish a 'tailscale serve' server publicly, open to the
-// entire internet.
-// newFunnelCommand shares the same serveEnv as the "serve" subcommand. See
-// newServeCommand and serve.go for more details.
-func newFunnelCommand(e *serveEnv) *ffcli.Command {
-	return &ffcli.Command{
-		Name:      "funnel",
-		ShortHelp: "Turn on/off Funnel service",
-		ShortUsage: strings.Join([]string{
-			"funnel <serve-port> {on|off}",
-			"funnel status [--json]",
-		}, "\n  "),
-		LongHelp: strings.Join([]string{
-			"Funnel allows you to publish a 'tailscale serve'",
-			"server publicly, open to the entire internet.",
-			"",
-			"Turning off Funnel only turns off serving to the internet.",
-			"It does not affect serving to your tailnet.",
-		}, "\n"),
-		Exec:      e.runFunnel,
-		UsageFunc: usageFunc,
-		Subcommands: []*ffcli.Command{
-			{
-				Name:      "status",
-				Exec:      e.runServeStatus,
-				ShortHelp: "show current serve/funnel status",
-				FlagSet: e.newFlags("funnel-status", func(fs *flag.FlagSet) {
-					fs.BoolVar(&e.json, "json", false, "output JSON")
-				}),
-				UsageFunc: usageFunc,
-			},
-		},
-	}
-}
-
-// runFunnel is the entry point for the "tailscale funnel" subcommand and
-// manages turning on/off funnel. Funnel is off by default.
-//
-// Note: funnel is only supported on single DNS name for now. (2022-11-15)
-func (e *serveEnv) runFunnel(ctx context.Context, args []string) error {
-	if len(args) != 2 {
-		return flag.ErrHelp
-	}
-
-	var on bool
-	switch args[1] {
-	case "on", "off":
-		on = args[1] == "on"
-	default:
-		return flag.ErrHelp
-	}
-	sc, err := e.lc.GetServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	if sc == nil {
-		sc = new(ipn.ServeConfig)
-	}
-	st, err := e.getLocalClientStatus(ctx)
-	if err != nil {
-		return fmt.Errorf("getting client status: %w", err)
-	}
-
-	port64, err := strconv.ParseUint(args[0], 10, 16)
-	if err != nil {
-		return err
-	}
-	port := uint16(port64)
-
-	if err := ipn.CheckFunnelAccess(port, st.Self.Capabilities); err != nil {
-		return err
-	}
-	dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
-	hp := ipn.HostPort(dnsName + ":" + strconv.Itoa(int(port)))
-	if on == sc.AllowFunnel[hp] {
-		printFunnelWarning(sc)
-		// Nothing to do.
-		return nil
-	}
-	if on {
-		mak.Set(&sc.AllowFunnel, hp, true)
-	} else {
-		delete(sc.AllowFunnel, hp)
-		// clear map mostly for testing
-		if len(sc.AllowFunnel) == 0 {
-			sc.AllowFunnel = nil
-		}
-	}
-	if err := e.lc.SetServeConfig(ctx, sc); err != nil {
-		return err
-	}
-	printFunnelWarning(sc)
-	return nil
-}
-
-// printFunnelWarning prints a warning if the Funnel is on but there is no serve
-// config for its host:port.
-func printFunnelWarning(sc *ipn.ServeConfig) {
-	var warn bool
-	for hp, a := range sc.AllowFunnel {
-		if !a {
-			continue
-		}
-		_, portStr, _ := net.SplitHostPort(string(hp))
-		p, _ := strconv.ParseUint(portStr, 10, 16)
-		if _, ok := sc.TCP[uint16(p)]; !ok {
-			warn = true
-			fmt.Fprintf(os.Stderr, "Warning: funnel=on for %s, but no serve config\n", hp)
-		}
-	}
-	if warn {
-		fmt.Fprintf(os.Stderr, "         run: `tailscale serve --help` to see how to configure handlers\n")
-	}
-}
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@ -19,7 +19,6 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netcheck"
-	"tailscale.com/net/netmon"
 	"tailscale.com/net/portmapper"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
@ -46,15 +45,9 @@ var netcheckArgs struct {
 }

 func runNetcheck(ctx context.Context, args []string) error {
-	logf := logger.WithPrefix(log.Printf, "portmap: ")
-	netMon, err := netmon.New(logf)
-	if err != nil {
-		return err
-	}
 	c := &netcheck.Client{
 		UDPBindAddr: envknob.String("TS_DEBUG_NETCHECK_UDP_BIND"),
-		PortMapper:  portmapper.NewClient(logf, netMon, nil, nil),
-		UseDNSCache: false, // always resolve, don't cache
+		PortMapper:  portmapper.NewClient(logger.WithPrefix(log.Printf, "portmap: "), nil),
 	}
 	if netcheckArgs.verbose {
 		c.Logf = logger.WithPrefix(log.Printf, "netcheck: ")
@ -103,6 +96,7 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	var err error
 	switch netcheckArgs.format {
 	case "":
+		break
 	case "json":
 		j, err = json.MarshalIndent(report, "", "\t")
 	case "json-line":
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@ -15,7 +15,6 @@ import (
 	"os"
 	"strconv"
 	"strings"
-	"time"

 	"github.com/mattn/go-colorable"
 	"github.com/mattn/go-isatty"
@ -41,16 +40,7 @@ var netlockCmd = &ffcli.Command{
 		nlLogCmd,
 		nlLocalDisableCmd,
 	},
-	Exec: runNetworkLockNoSubcommand,
-}
-
-func runNetworkLockNoSubcommand(ctx context.Context, args []string) error {
-	// Detect & handle the deprecated command 'lock tskey-wrap'.
-	if len(args) >= 2 && args[0] == "tskey-wrap" {
-		return runTskeyWrapCmd(ctx, args[1:])
-	}
-
-	return runNetworkLockStatus(ctx, args)
+	Exec: runNetworkLockStatus,
 }

 var nlInitArgs struct {
@ -240,15 +230,6 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
 			if k.Key == st.PublicKey {
 				line.WriteString("(self)")
 			}
-			if k.Metadata["purpose"] == "pre-auth key" {
-				if preauthKeyID := k.Metadata["authkey_stableid"]; preauthKeyID != "" {
-					line.WriteString("(pre-auth key ")
-					line.WriteString(preauthKeyID)
-					line.WriteString(")")
-				} else {
-					line.WriteString("(pre-auth key)")
-				}
-			}
 			fmt.Println(line.String())
 		}
 	}
@ -264,13 +245,11 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
 			for i, addr := range p.TailscaleIPs {
 				line.WriteString(addr.String())
 				if i < len(p.TailscaleIPs)-1 {
-					line.WriteString(",")
+					line.WriteString(", ")
 				}
 			}
 			line.WriteString("\t")
 			line.WriteString(string(p.StableID))
-			line.WriteString("\t")
-			line.WriteString(p.NodeKey.String())
 			fmt.Println(line.String())
 		}
 	}
@ -288,78 +267,14 @@ var nlAddCmd = &ffcli.Command{
 	},
 }

-var nlRemoveArgs struct {
-	resign bool
-}
-
 var nlRemoveCmd = &ffcli.Command{
 	Name:       "remove",
-	ShortUsage: "remove [--re-sign=false] <public-key>...",
+	ShortUsage: "remove <public-key>...",
 	ShortHelp:  "Removes one or more trusted signing keys from tailnet lock",
 	LongHelp:   "Removes one or more trusted signing keys from tailnet lock",
-	Exec:       runNetworkLockRemove,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("lock remove")
-		fs.BoolVar(&nlRemoveArgs.resign, "re-sign", true, "resign signatures which would be invalidated by removal of trusted signing keys")
-		return fs
-	})(),
-}
-
-func runNetworkLockRemove(ctx context.Context, args []string) error {
-	removeKeys, _, err := parseNLArgs(args, true, false)
-	if err != nil {
-		return err
-	}
-	st, err := localClient.NetworkLockStatus(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	if !st.Enabled {
-		return errors.New("tailnet lock is not enabled")
-	}
-
-	if nlRemoveArgs.resign {
-		// Validate we are not removing trust in ourselves while resigning. This is because
-		// we resign with our own key, so the signatures would be immediately invalid.
-		for _, k := range removeKeys {
-			kID, err := k.ID()
-			if err != nil {
-				return fmt.Errorf("computing KeyID for key %v: %w", k, err)
-			}
-			if bytes.Equal(st.PublicKey.KeyID(), kID) {
-				return errors.New("cannot remove local trusted signing key while resigning; run command on a different node or with --re-sign=false")
-			}
-		}
-
-		// Resign affected signatures for each of the keys we are removing.
-		for _, k := range removeKeys {
-			kID, _ := k.ID() // err already checked above
-			sigs, err := localClient.NetworkLockAffectedSigs(ctx, kID)
-			if err != nil {
-				return fmt.Errorf("affected sigs for key %X: %w", kID, err)
-			}
-
-			for _, sigBytes := range sigs {
-				var sig tka.NodeKeySignature
-				if err := sig.Unserialize(sigBytes); err != nil {
-					return fmt.Errorf("failed decoding signature: %w", err)
-				}
-				var nodeKey key.NodePublic
-				if err := nodeKey.UnmarshalBinary(sig.Pubkey); err != nil {
-					return fmt.Errorf("failed decoding pubkey for signature: %w", err)
-				}
-
-				// Safety: NetworkLockAffectedSigs() verifies all signatures before
-				// successfully returning.
-				rotationKey, _ := sig.UnverifiedWrappingPublic()
-				if err := localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey)); err != nil {
-					return fmt.Errorf("failed to sign %v: %w", nodeKey, err)
-				}
-			}
-		}
-	}
-
-	return localClient.NetworkLockModify(ctx, nil, removeKeys)
+	Exec: func(ctx context.Context, args []string) error {
+		return runNetworkLockModify(ctx, nil, args)
+	},
 }

 // parseNLArgs parses a slice of strings into slices of tka.Key & disablement
@ -435,19 +350,13 @@ func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) err

 var nlSignCmd = &ffcli.Command{
 	Name:       "sign",
-	ShortUsage: "sign <node-key> [<rotation-key>] or sign <auth-key>",
-	ShortHelp:  "Signs a node or pre-approved auth key",
-	LongHelp: `Either:
-  - signs a node key and transmits the signature to the coordination server, or
-  - signs a pre-approved auth key, printing it in a form that can be used to bring up nodes under tailnet lock`,
-	Exec: runNetworkLockSign,
+	ShortUsage: "sign <node-key> [<rotation-key>]",
+	ShortHelp:  "Signs a node key and transmits the signature to the coordination server",
+	LongHelp:   "Signs a node key and transmits the signature to the coordination server",
+	Exec:       runNetworkLockSign,
 }

 func runNetworkLockSign(ctx context.Context, args []string) error {
-	if len(args) > 0 && strings.HasPrefix(args[0], "tskey-auth-") {
-		return runTskeyWrapCmd(ctx, args)
-	}
-
 	var (
 		nodeKey     key.NodePublic
 		rotationKey key.NLPublic
@ -465,16 +374,7 @@ func runNetworkLockSign(ctx context.Context, args []string) error {
 		}
 	}

-	err := localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey.Verifier()))
-	// Provide a better help message for when someone clicks through the signing flow
-	// on the wrong device.
-	if err != nil && strings.Contains(err.Error(), "this node is not trusted by network lock") {
-		fmt.Fprintln(os.Stderr, "Error: Signing is not available on this device because it does not have a trusted tailnet lock key.")
-		fmt.Fprintln(os.Stderr)
-		fmt.Fprintln(os.Stderr, "Try again on a signing device instead. Tailnet admins can see signing devices on the admin panel.")
-		fmt.Fprintln(os.Stderr)
-	}
-	return err
+	return localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey.Verifier()))
 }

 var nlDisableCmd = &ffcli.Command{
@ -658,56 +558,3 @@ func runNetworkLockLog(ctx context.Context, args []string) error {
 	}
 	return nil
 }
-
-func runTskeyWrapCmd(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return errors.New("usage: lock tskey-wrap <tailscale pre-auth key>")
-	}
-	if strings.Contains(args[0], "--TL") {
-		return errors.New("Error: provided key was already wrapped")
-	}
-
-	st, err := localClient.StatusWithoutPeers(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-
-	return wrapAuthKey(ctx, args[0], st)
-}
-
-func wrapAuthKey(ctx context.Context, keyStr string, status *ipnstate.Status) error {
-	// Generate a separate tailnet-lock key just for the credential signature.
-	// We use the free-form meta strings to mark a little bit of metadata about this
-	// key.
-	priv := key.NewNLPrivate()
-	m := map[string]string{
-		"purpose":            "pre-auth key",
-		"wrapper_stableid":   string(status.Self.ID),
-		"wrapper_createtime": fmt.Sprint(time.Now().Unix()),
-	}
-	if strings.HasPrefix(keyStr, "tskey-auth-") && strings.Index(keyStr[len("tskey-auth-"):], "-") > 0 {
-		// We don't want to accidentally embed the nonce part of the authkey in
-		// the event the format changes. As such, we make sure its in the format we
-		// expect (tskey-auth-<stableID, inc CNTRL suffix>-nonce) before we parse
-		// out and embed the stableID.
-		s := strings.TrimPrefix(keyStr, "tskey-auth-")
-		m["authkey_stableid"] = s[:strings.Index(s, "-")]
-	}
-	k := tka.Key{
-		Kind:   tka.Key25519,
-		Public: priv.Public().Verifier(),
-		Votes:  1,
-		Meta:   m,
-	}
-
-	wrapped, err := localClient.NetworkLockWrapPreauthKey(ctx, keyStr, priv)
-	if err != nil {
-		return fmt.Errorf("wrapping failed: %w", err)
-	}
-	if err := localClient.NetworkLockModify(ctx, []tka.Key{k}, nil); err != nil {
-		return fmt.Errorf("add key failed: %w", err)
-	}
-
-	fmt.Println(wrapped)
-	return nil
-}
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@ -51,7 +51,7 @@ relay node.
 		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through WireGuard, but not either host OS stack)")
 		fs.BoolVar(&pingArgs.icmp, "icmp", false, "do a ICMP-level ping (through WireGuard, but not the local host OS stack)")
 		fs.BoolVar(&pingArgs.peerAPI, "peerapi", false, "try hitting the peer's peerapi HTTP server")
-		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send. 0 for infinity.")
+		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
 		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
 		return fs
 	})(),
--- a/cmd/tailscale/cli/serve.go
+++ b/cmd/tailscale/cli/serve.go
@ -16,14 +16,15 @@ import (
 	"path"
 	"path/filepath"
 	"reflect"
-	"runtime"
 	"sort"
 	"strconv"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
+	"golang.org/x/exp/slices"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
 	"tailscale.com/util/mak"
 	"tailscale.com/version"
 )
@ -34,72 +35,78 @@ var serveCmd = newServeCommand(&serveEnv{lc: &localClient})
 func newServeCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "serve",
-		ShortHelp: "Serve content and local servers",
-		ShortUsage: strings.Join([]string{
-			"serve http:<port> <mount-point> <source> [off]",
-			"serve https:<port> <mount-point> <source> [off]",
-			"serve tcp:<port> tcp://localhost:<local-port> [off]",
-			"serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]",
-			"serve status [--json]",
-			"serve reset",
-		}, "\n  "),
+		ShortHelp: "[ALPHA] Serve from your Tailscale node",
+		ShortUsage: strings.TrimSpace(`
+  serve [flags] <mount-point> {proxy|path|text} <arg>
+  serve [flags] <sub-command> [sub-flags] <args>`),
 		LongHelp: strings.TrimSpace(`
-*** BETA; all of this is subject to change ***
+*** ALPHA; all of this is subject to change ***

 The 'tailscale serve' set of commands allows you to serve
 content and local servers from your Tailscale node to
-your tailnet.
+your tailnet. 

 You can also choose to enable the Tailscale Funnel with:
-'tailscale funnel on'. Funnel allows you to publish
+'tailscale serve funnel on'. Funnel allows you to publish
 a 'tailscale serve' server publicly, open to the entire
 internet. See https://tailscale.com/funnel.

 EXAMPLES
  - To proxy requests to a web server at 127.0.0.1:3000:
-    $ tailscale serve https:443 / http://127.0.0.1:3000
-
-    Or, using the default port (443):
-    $ tailscale serve https / http://127.0.0.1:3000
+    $ tailscale serve / proxy 3000

  - To serve a single file or a directory of files:
-    $ tailscale serve https / /home/alice/blog/index.html
-    $ tailscale serve https /images/ /home/alice/blog/images
+    $ tailscale serve / path /home/alice/blog/index.html
+    $ tailscale serve /images/ path /home/alice/blog/images

  - To serve simple static text:
-    $ tailscale serve https:8080 / text:"Hello, world!"
-
-  - To serve over HTTP (tailnet only):
-    $ tailscale serve http:80 / http://127.0.0.1:3000
-
-    Or, using the default port (80):
-    $ tailscale serve http / http://127.0.0.1:3000
-
-  - To forward incoming TCP connections on port 2222 to a local TCP server on
-    port 22 (e.g. to run OpenSSH in parallel with Tailscale SSH):
-    $ tailscale serve tcp:2222 tcp://localhost:22
-
-  - To accept TCP TLS connections (terminated within tailscaled) proxied to a
-    local plaintext server on port 80:
-    $ tailscale serve tls-terminated-tcp:443 tcp://localhost:80
+    $ tailscale serve / text "Hello, world!"
 `),
-		Exec:      e.runServe,
+		Exec: e.runServe,
+		FlagSet: e.newFlags("serve", func(fs *flag.FlagSet) {
+			fs.BoolVar(&e.remove, "remove", false, "remove an existing serve config")
+			fs.UintVar(&e.servePort, "serve-port", 443, "port to serve on (443, 8443 or 10000)")
+		}),
 		UsageFunc: usageFunc,
 		Subcommands: []*ffcli.Command{
 			{
 				Name:      "status",
 				Exec:      e.runServeStatus,
-				ShortHelp: "show current serve/funnel status",
+				ShortHelp: "show current serve status",
 				FlagSet: e.newFlags("serve-status", func(fs *flag.FlagSet) {
 					fs.BoolVar(&e.json, "json", false, "output JSON")
 				}),
 				UsageFunc: usageFunc,
 			},
 			{
-				Name:      "reset",
-				Exec:      e.runServeReset,
-				ShortHelp: "reset current serve/funnel config",
-				FlagSet:   e.newFlags("serve-reset", nil),
+				Name:      "tcp",
+				Exec:      e.runServeTCP,
+				ShortHelp: "add or remove a TCP port forward",
+				LongHelp: strings.Join([]string{
+					"EXAMPLES",
+					"  - Forward TLS over TCP to a local TCP server on port 5432:",
+					"    $ tailscale serve tcp 5432",
+					"",
+					"  - Forward raw, TLS-terminated TCP packets to a local TCP server on port 5432:",
+					"    $ tailscale serve tcp --terminate-tls 5432",
+				}, "\n"),
+				FlagSet: e.newFlags("serve-tcp", func(fs *flag.FlagSet) {
+					fs.BoolVar(&e.terminateTLS, "terminate-tls", false, "terminate TLS before forwarding TCP connection")
+				}),
+				UsageFunc: usageFunc,
+			},
+			{
+				Name:       "funnel",
+				Exec:       e.runServeFunnel,
+				ShortUsage: "funnel [flags] {on|off}",
+				ShortHelp:  "turn Tailscale Funnel on or off",
+				LongHelp: strings.Join([]string{
+					"Funnel allows you to publish a 'tailscale serve'",
+					"server publicly, open to the entire internet.",
+					"",
+					"Turning off Funnel only turns off serving to the internet.",
+					"It does not affect serving to your tailnet.",
+				}, "\n"),
 				UsageFunc: usageFunc,
 			},
 		},
@ -138,7 +145,10 @@ type localServeClient interface {
 // It also contains the flags, as registered with newServeCommand.
 type serveEnv struct {
 	// flags
-	json bool // output JSON (status only for now)
+	servePort    uint // Port to serve on. Defaults to 443.
+	terminateTLS bool
+	remove       bool // remove a serve config
+	json         bool // output JSON (status only for now)

 	lc localServeClient // localClient interface, specific to serve

@ -178,16 +188,28 @@ func (e *serveEnv) getLocalClientStatus(ctx context.Context) (*ipnstate.Status,
 	return st, nil
 }

+// validateServePort returns --serve-port flag value,
+// or an error if the port is not a valid port to serve on.
+func (e *serveEnv) validateServePort() (port uint16, err error) {
+	// make sure e.servePort is uint16
+	port = uint16(e.servePort)
+	if uint(port) != e.servePort {
+		return 0, fmt.Errorf("serve-port %d is out of range", e.servePort)
+	}
+	// make sure e.servePort is 443, 8443 or 10000
+	if port != 443 && port != 8443 && port != 10000 {
+		return 0, fmt.Errorf("serve-port %d is invalid; must be 443, 8443 or 10000", e.servePort)
+	}
+	return port, nil
+}
+
 // runServe is the entry point for the "serve" subcommand, managing Web
 // serve config types like proxy, path, and text.
 //
 // Examples:
-// - tailscale serve http / http://localhost:3000
-// - tailscale serve https / http://localhost:3000
-// - tailscale serve https /images/ /var/www/images/
-// - tailscale serve https:10000 /motd.txt text:"Hello, world!"
-// - tailscale serve tcp:2222 tcp://localhost:22
-// - tailscale serve tls-terminated-tcp:443 tcp://localhost:80
+// - tailscale serve / proxy 3000
+// - tailscale serve /images/ path /var/www/images/
+// - tailscale --serve-port=10000 serve /motd.txt text "Hello, world!"
 func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 	if len(args) == 0 {
 		return flag.ErrHelp
@ -207,90 +229,39 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return e.lc.SetServeConfig(ctx, sc)
 	}

-	srcType, srcPortStr, found := strings.Cut(args[0], ":")
-	if !found {
-		if srcType == "https" && srcPortStr == "" {
-			// Default https port to 443.
-			srcPortStr = "443"
-		} else if srcType == "http" && srcPortStr == "" {
-			// Default http port to 80.
-			srcPortStr = "80"
-		} else {
-			return flag.ErrHelp
-		}
-	}
-
-	turnOff := "off" == args[len(args)-1]
-
-	if len(args) < 2 || ((srcType == "https" || srcType == "http") && !turnOff && len(args) < 3) {
+	if !(len(args) == 3 || (e.remove && len(args) >= 1)) {
 		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
 		return flag.ErrHelp
 	}

-	srcPort, err := parseServePort(srcPortStr)
+	srvPort, err := e.validateServePort()
 	if err != nil {
-		return fmt.Errorf("invalid port %q: %w", srcPortStr, err)
+		return err
+	}
+	srvPortStr := strconv.Itoa(int(srvPort))
+
+	mount, err := cleanMountPoint(args[0])
+	if err != nil {
+		return err
 	}

-	switch srcType {
-	case "https", "http":
-		mount, err := cleanMountPoint(args[1])
-		if err != nil {
-			return err
-		}
-		if turnOff {
-			return e.handleWebServeRemove(ctx, srcPort, mount)
-		}
-		useTLS := srcType == "https"
-		return e.handleWebServe(ctx, srcPort, useTLS, mount, args[2])
-	case "tcp", "tls-terminated-tcp":
-		if turnOff {
-			return e.handleTCPServeRemove(ctx, srcPort)
-		}
-		return e.handleTCPServe(ctx, srcType, srcPort, args[1])
-	default:
-		fmt.Fprintf(os.Stderr, "error: invalid serve type %q\n", srcType)
-		fmt.Fprint(os.Stderr, "must be one of: http:<port>, https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
-		return flag.ErrHelp
+	if e.remove {
+		return e.handleWebServeRemove(ctx, mount)
 	}
-}

-// handleWebServe handles the "tailscale serve (http/https):..." subcommand. It
-// configures the serve config to forward HTTPS connections to the given source.
-//
-// Examples:
-//   - tailscale serve http / http://localhost:3000
-//   - tailscale serve https / http://localhost:3000
-//   - tailscale serve https:8443 /files/ /home/alice/shared-files/
-//   - tailscale serve https:10000 /motd.txt text:"Hello, world!"
-func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bool, mount, source string) error {
 	h := new(ipn.HTTPHandler)

-	ts, _, _ := strings.Cut(source, ":")
-	switch {
-	case ts == "text":
-		text := strings.TrimPrefix(source, "text:")
-		if text == "" {
-			return errors.New("unable to serve; text cannot be an empty string")
-		}
-		h.Text = text
-	case isProxyTarget(source):
-		t, err := expandProxyTarget(source)
-		if err != nil {
-			return err
-		}
-		h.Proxy = t
-	default: // assume path
+	switch args[1] {
+	case "path":
 		if version.IsSandboxedMacOS() {
 			// don't allow path serving for now on macOS (2022-11-15)
 			return fmt.Errorf("path serving is not supported if sandboxed on macOS")
 		}
-		if !filepath.IsAbs(source) {
+		if !filepath.IsAbs(args[2]) {
 			fmt.Fprintf(os.Stderr, "error: path must be absolute\n\n")
 			return flag.ErrHelp
 		}
-		source = filepath.Clean(source)
-		fi, err := os.Stat(source)
+		fi, err := os.Stat(args[2])
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "error: invalid path: %v\n\n", err)
 			return flag.ErrHelp
@ -300,7 +271,21 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bo
 			// for relative file links to work
 			mount += "/"
 		}
-		h.Path = source
+		h.Path = args[2]
+	case "proxy":
+		t, err := expandProxyTarget(args[2])
+		if err != nil {
+			return err
+		}
+		h.Proxy = t
+	case "text":
+		if args[2] == "" {
+			return errors.New("unable to serve; text cannot be an empty string")
+		}
+		h.Text = args[2]
+	default:
+		fmt.Fprintf(os.Stderr, "error: unknown serve type %q\n\n", args[1])
+		return flag.ErrHelp
 	}

 	cursc, err := e.lc.GetServeConfig(ctx)
@ -315,14 +300,14 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bo
 	if err != nil {
 		return err
 	}
-	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
+	hp := ipn.HostPort(net.JoinHostPort(dnsName, srvPortStr))

 	if sc.IsTCPForwardingOnPort(srvPort) {
 		fmt.Fprintf(os.Stderr, "error: cannot serve web; already serving TCP\n")
 		return flag.ErrHelp
 	}

-	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: useTLS, HTTP: !useTLS})
+	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: true})

 	if _, ok := sc.Web[hp]; !ok {
 		mak.Set(&sc.Web, hp, new(ipn.WebServerConfig))
@ -354,36 +339,12 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bo
 	return nil
 }

-// isProxyTarget reports whether source is a valid proxy target.
-func isProxyTarget(source string) bool {
-	if strings.HasPrefix(source, "http://") ||
-		strings.HasPrefix(source, "https://") ||
-		strings.HasPrefix(source, "https+insecure://") {
-		return true
+func (e *serveEnv) handleWebServeRemove(ctx context.Context, mount string) error {
+	srvPort, err := e.validateServePort()
+	if err != nil {
+		return err
 	}
-	// support "localhost:3000", for example
-	_, portStr, ok := strings.Cut(source, ":")
-	if ok && allNumeric(portStr) {
-		return true
-	}
-	return false
-}
-
-// allNumeric reports whether s only comprises of digits
-// and has at least one digit.
-func allNumeric(s string) bool {
-	for i := 0; i < len(s); i++ {
-		if s[i] < '0' || s[i] > '9' {
-			return false
-		}
-	}
-	return s != ""
-}
-
-// handleWebServeRemove removes a web handler from the serve config.
-// The srvPort argument is the serving port and the mount argument is
-// the mount point or registered path to remove.
-func (e *serveEnv) handleWebServeRemove(ctx context.Context, srvPort uint16, mount string) error {
+	srvPortStr := strconv.Itoa(int(srvPort))
 	sc, err := e.lc.GetServeConfig(ctx)
 	if err != nil {
 		return err
@ -398,9 +359,9 @@ func (e *serveEnv) handleWebServeRemove(ctx context.Context, srvPort uint16, mou
 	if sc.IsTCPForwardingOnPort(srvPort) {
 		return errors.New("cannot remove web handler; currently serving TCP")
 	}
-	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
+	hp := ipn.HostPort(net.JoinHostPort(dnsName, srvPortStr))
 	if !sc.WebHandlerExists(hp, mount) {
-		return errors.New("error: handler does not exist")
+		return errors.New("error: serve config does not exist")
 	}
 	// delete existing handler, then cascade delete if empty
 	delete(sc.Web[hp].Handlers, mount)
@ -425,7 +386,6 @@ func cleanMountPoint(mount string) (string, error) {
 	if mount == "" {
 		return "", errors.New("mount point cannot be empty")
 	}
-	mount = cleanMinGWPathConversionIfNeeded(mount)
 	if !strings.HasPrefix(mount, "/") {
 		mount = "/" + mount
 	}
@ -436,31 +396,18 @@ func cleanMountPoint(mount string) (string, error) {
 	return "", fmt.Errorf("invalid mount point %q", mount)
 }

-// cleanMinGWPathConversionIfNeeded strips the EXEPATH prefix from the given
-// path if the path is a MinGW(ish) (Windows) shell arg.
-//
-// MinGW(ish) (Windows) shells perform POSIX-to-Windows path conversion
-// converting the leading "/" of any shell arg to the EXEPATH, which mangles the
-// mount point. Strip the EXEPATH prefix if it exists. #7963
-//
-// "/C:/Program Files/Git/foo" -> "/foo"
-func cleanMinGWPathConversionIfNeeded(path string) string {
-	// Only do this on Windows.
-	if runtime.GOOS != "windows" {
-		return path
+func expandProxyTarget(target string) (string, error) {
+	if allNumeric(target) {
+		p, err := strconv.ParseUint(target, 10, 16)
+		if p == 0 || err != nil {
+			return "", fmt.Errorf("invalid port %q", target)
+		}
+		return "http://127.0.0.1:" + target, nil
 	}
-	if _, ok := os.LookupEnv("MSYSTEM"); ok {
-		exepath := filepath.ToSlash(os.Getenv("EXEPATH"))
-		path = strings.TrimPrefix(path, exepath)
+	if !strings.Contains(target, "://") {
+		target = "http://" + target
 	}
-	return path
-}
-
-func expandProxyTarget(source string) (string, error) {
-	if !strings.Contains(source, "://") {
-		source = "http://" + source
-	}
-	u, err := url.ParseRequestURI(source)
+	u, err := url.ParseRequestURI(target)
 	if err != nil {
 		return "", fmt.Errorf("parsing url: %w", err)
 	}
@ -470,14 +417,9 @@ func expandProxyTarget(source string) (string, error) {
 	default:
 		return "", fmt.Errorf("must be a URL starting with http://, https://, or https+insecure://")
 	}
-
-	port, err := strconv.ParseUint(u.Port(), 10, 16)
-	if port == 0 || err != nil {
-		return "", fmt.Errorf("invalid port %q: %w", u.Port(), err)
-	}
-
 	host := u.Hostname()
 	switch host {
+	// TODO(shayne,bradfitz): do we want to do this?
 	case "localhost", "127.0.0.1":
 		host = "127.0.0.1"
 	default:
@ -487,115 +429,19 @@ func expandProxyTarget(source string) (string, error) {
 	if u.Port() != "" {
 		url += ":" + u.Port()
 	}
-	url += u.Path
 	return url, nil
 }

-// handleTCPServe handles the "tailscale serve tls-terminated-tcp:..." subcommand.
-// It configures the serve config to forward TCP connections to the
-// given source.
-//
-// Examples:
-//   - tailscale serve tcp:2222 tcp://localhost:22
-//   - tailscale serve tls-terminated-tcp:8443 tcp://localhost:8080
-func (e *serveEnv) handleTCPServe(ctx context.Context, srcType string, srcPort uint16, dest string) error {
-	var terminateTLS bool
-	switch srcType {
-	case "tcp":
-		terminateTLS = false
-	case "tls-terminated-tcp":
-		terminateTLS = true
-	default:
-		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q\n\n", dest)
-		return flag.ErrHelp
-	}
-
-	dstURL, err := url.Parse(dest)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q: %v\n\n", dest, err)
-		return flag.ErrHelp
-	}
-	host, dstPortStr, err := net.SplitHostPort(dstURL.Host)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q: %v\n\n", dest, err)
-		return flag.ErrHelp
-	}
-
-	switch host {
-	case "localhost", "127.0.0.1":
-		// ok
-	default:
-		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q\n", dest)
-		fmt.Fprint(os.Stderr, "must be one of: localhost or 127.0.0.1\n\n", dest)
-		return flag.ErrHelp
-	}
-
-	if p, err := strconv.ParseUint(dstPortStr, 10, 16); p == 0 || err != nil {
-		fmt.Fprintf(os.Stderr, "error: invalid port %q\n\n", dstPortStr)
-		return flag.ErrHelp
-	}
-
-	cursc, err := e.lc.GetServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	sc := cursc.Clone() // nil if no config
-	if sc == nil {
-		sc = new(ipn.ServeConfig)
-	}
-
-	fwdAddr := "127.0.0.1:" + dstPortStr
-
-	if sc.IsServingWeb(srcPort) {
-		return fmt.Errorf("cannot serve TCP; already serving web on %d", srcPort)
-	}
-
-	mak.Set(&sc.TCP, srcPort, &ipn.TCPPortHandler{TCPForward: fwdAddr})
-
-	dnsName, err := e.getSelfDNSName(ctx)
-	if err != nil {
-		return err
-	}
-	if terminateTLS {
-		sc.TCP[srcPort].TerminateTLS = dnsName
-	}
-
-	if !reflect.DeepEqual(cursc, sc) {
-		if err := e.lc.SetServeConfig(ctx, sc); err != nil {
-			return err
+func allNumeric(s string) bool {
+	for i := 0; i < len(s); i++ {
+		if s[i] < '0' || s[i] > '9' {
+			return false
 		}
 	}
-
-	return nil
+	return s != ""
 }

-// handleTCPServeRemove removes the TCP forwarding configuration for the
-// given srvPort, or serving port.
-func (e *serveEnv) handleTCPServeRemove(ctx context.Context, src uint16) error {
-	cursc, err := e.lc.GetServeConfig(ctx)
-	if err != nil {
-		return err
-	}
-	sc := cursc.Clone() // nil if no config
-	if sc == nil {
-		sc = new(ipn.ServeConfig)
-	}
-	if sc.IsServingWeb(src) {
-		return fmt.Errorf("unable to remove; serving web, not TCP forwarding on serve port %d", src)
-	}
-	if ph := sc.GetTCPPortHandler(src); ph != nil {
-		delete(sc.TCP, src)
-		// clear map mostly for testing
-		if len(sc.TCP) == 0 {
-			sc.TCP = nil
-		}
-		return e.lc.SetServeConfig(ctx, sc)
-	}
-	return errors.New("error: serve config does not exist")
-}
-
-// runServeStatus is the entry point for the "serve status"
-// subcommand and prints the current serve config.
+// runServeStatus prints the current serve config.
 //
 // Examples:
 //   - tailscale status
@ -614,7 +460,6 @@ func (e *serveEnv) runServeStatus(ctx context.Context, args []string) error {
 		e.stdout().Write(j)
 		return nil
 	}
-	printFunnelStatus(ctx)
 	if sc == nil || (len(sc.TCP) == 0 && len(sc.Web) == 0 && len(sc.AllowFunnel) == 0) {
 		printf("No serve config\n")
 		return nil
@ -630,13 +475,20 @@ func (e *serveEnv) runServeStatus(ctx context.Context, args []string) error {
 		printf("\n")
 	}
 	for hp := range sc.Web {
-		err := e.printWebStatusTree(sc, hp)
-		if err != nil {
-			return err
-		}
+		printWebStatusTree(sc, hp)
 		printf("\n")
 	}
-	printFunnelWarning(sc)
+	// warn when funnel on without handlers
+	for hp, a := range sc.AllowFunnel {
+		if !a {
+			continue
+		}
+		_, portStr, _ := net.SplitHostPort(string(hp))
+		p, _ := strconv.ParseUint(portStr, 10, 16)
+		if _, ok := sc.TCP[uint16(p)]; !ok {
+			printf("WARNING: funnel=on for %s, but no serve config\n", hp)
+		}
+	}
 	return nil
 }

@ -672,37 +524,20 @@ func printTCPStatusTree(ctx context.Context, sc *ipn.ServeConfig, st *ipnstate.S
 	return nil
 }

-func (e *serveEnv) printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) error {
-	// No-op if no serve config
+func printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) {
 	if sc == nil {
-		return nil
+		return
 	}
 	fStatus := "tailnet only"
 	if sc.AllowFunnel[hp] {
 		fStatus = "Funnel on"
 	}
 	host, portStr, _ := net.SplitHostPort(string(hp))
-
-	port, err := parseServePort(portStr)
-	if err != nil {
-		return fmt.Errorf("invalid port %q: %w", portStr, err)
+	if portStr == "443" {
+		printf("https://%s (%s)\n", host, fStatus)
+	} else {
+		printf("https://%s:%s (%s)\n", host, portStr, fStatus)
 	}
-
-	scheme := "https"
-	if sc.IsServingHTTP(port) {
-		scheme = "http"
-	}
-
-	portPart := ":" + portStr
-	if scheme == "http" && portStr == "80" ||
-		scheme == "https" && portStr == "443" {
-		portPart = ""
-	}
-	if scheme == "http" {
-		hostname, _, _ := strings.Cut("host", ".")
-		printf("%s://%s%s (%s)\n", scheme, hostname, portPart, fStatus)
-	}
-	printf("%s://%s%s (%s)\n", scheme, host, portPart, fStatus)
 	srvTypeAndDesc := func(h *ipn.HTTPHandler) (string, string) {
 		switch {
 		case h.Path != "":
@ -729,8 +564,6 @@ func (e *serveEnv) printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) erro
 		t, d := srvTypeAndDesc(h)
 		printf("%s %s%s %-5s %s\n", "|--", m, strings.Repeat(" ", maxLen-len(m)), t, d)
 	}
-
-	return nil
 }

 func elipticallyTruncate(s string, max int) string {
@ -740,27 +573,151 @@ func elipticallyTruncate(s string, max int) string {
 	return s[:max-3] + "..."
 }

-// runServeReset clears out the current serve config.
+// runServeTCP is the entry point for the "serve tcp" subcommand and
+// manages the serve config for TCP forwarding.
 //
-// Usage:
-//   - tailscale serve reset
-func (e *serveEnv) runServeReset(ctx context.Context, args []string) error {
-	if len(args) != 0 {
+// Examples:
+//   - tailscale serve tcp 5432
+//   - tailscale serve --serve-port=8443 tcp 4430
+//   - tailscale serve --serve-port=10000 tcp --terminate-tls 8080
+func (e *serveEnv) runServeTCP(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
 		return flag.ErrHelp
 	}
-	sc := new(ipn.ServeConfig)
-	return e.lc.SetServeConfig(ctx, sc)
+
+	srvPort, err := e.validateServePort()
+	if err != nil {
+		return err
+	}
+
+	portStr := args[0]
+	p, err := strconv.ParseUint(portStr, 10, 16)
+	if p == 0 || err != nil {
+		fmt.Fprintf(os.Stderr, "error: invalid port %q\n\n", portStr)
+	}
+
+	cursc, err := e.lc.GetServeConfig(ctx)
+	if err != nil {
+		return err
+	}
+	sc := cursc.Clone() // nil if no config
+	if sc == nil {
+		sc = new(ipn.ServeConfig)
+	}
+
+	fwdAddr := "127.0.0.1:" + portStr
+
+	if sc.IsServingWeb(srvPort) {
+		if e.remove {
+			return fmt.Errorf("unable to remove; serving web, not TCP forwarding on serve port %d", srvPort)
+		}
+		return fmt.Errorf("cannot serve TCP; already serving web on %d", srvPort)
+	}
+
+	if e.remove {
+		if ph := sc.GetTCPPortHandler(srvPort); ph != nil && ph.TCPForward == fwdAddr {
+			delete(sc.TCP, srvPort)
+			// clear map mostly for testing
+			if len(sc.TCP) == 0 {
+				sc.TCP = nil
+			}
+			return e.lc.SetServeConfig(ctx, sc)
+		}
+		return errors.New("error: serve config does not exist")
+	}
+
+	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{TCPForward: fwdAddr})
+
+	dnsName, err := e.getSelfDNSName(ctx)
+	if err != nil {
+		return err
+	}
+	if e.terminateTLS {
+		sc.TCP[srvPort].TerminateTLS = dnsName
+	}
+
+	if !reflect.DeepEqual(cursc, sc) {
+		if err := e.lc.SetServeConfig(ctx, sc); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }

-// parseServePort parses a port number from a string and returns it as a
-// uint16. It returns an error if the port number is invalid or zero.
-func parseServePort(s string) (uint16, error) {
-	p, err := strconv.ParseUint(s, 10, 16)
+// runServeFunnel is the entry point for the "serve funnel" subcommand and
+// manages turning on/off funnel. Funnel is off by default.
+//
+// Note: funnel is only supported on single DNS name for now. (2022-11-15)
+func (e *serveEnv) runServeFunnel(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		return flag.ErrHelp
+	}
+
+	srvPort, err := e.validateServePort()
 	if err != nil {
-		return 0, err
+		return err
 	}
-	if p == 0 {
-		return 0, errors.New("port number must be non-zero")
+	srvPortStr := strconv.Itoa(int(srvPort))
+
+	var on bool
+	switch args[0] {
+	case "on", "off":
+		on = args[0] == "on"
+	default:
+		return flag.ErrHelp
 	}
-	return uint16(p), nil
+	sc, err := e.lc.GetServeConfig(ctx)
+	if err != nil {
+		return err
+	}
+	if sc == nil {
+		sc = new(ipn.ServeConfig)
+	}
+	st, err := e.getLocalClientStatus(ctx)
+	if err != nil {
+		return fmt.Errorf("getting client status: %w", err)
+	}
+	if err := checkHasAccess(st.Self.Capabilities); err != nil {
+		return err
+	}
+	dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
+	hp := ipn.HostPort(dnsName + ":" + srvPortStr)
+	if on == sc.AllowFunnel[hp] {
+		// Nothing to do.
+		return nil
+	}
+	if on {
+		mak.Set(&sc.AllowFunnel, hp, true)
+	} else {
+		delete(sc.AllowFunnel, hp)
+		// clear map mostly for testing
+		if len(sc.AllowFunnel) == 0 {
+			sc.AllowFunnel = nil
+		}
+	}
+	if err := e.lc.SetServeConfig(ctx, sc); err != nil {
+		return err
+	}
+	return nil
+}
+
+// checkHasAccess checks three things: 1) an invite was used to join the
+// Funnel alpha; 2) HTTPS is enabled; 3) the node has the "funnel" attribute.
+// If any of these are false, an error is returned describing the problem.
+//
+// The nodeAttrs arg should be the node's Self.Capabilities which should contain
+// the attribute we're checking for and possibly warning-capabilities for Funnel.
+func checkHasAccess(nodeAttrs []string) error {
+	if slices.Contains(nodeAttrs, tailcfg.CapabilityWarnFunnelNoInvite) {
+		return errors.New("Funnel not available; an invite is required to join the alpha. See https://tailscale.com/kb/1223/tailscale-funnel/.")
+	}
+	if slices.Contains(nodeAttrs, tailcfg.CapabilityWarnFunnelNoHTTPS) {
+		return errors.New("Funnel not available; HTTPS must be enabled. See https://tailscale.com/kb/1153/enabling-https/.")
+	}
+	if !slices.Contains(nodeAttrs, tailcfg.NodeAttrFunnel) {
+		return errors.New("Funnel not available; \"funnel\" node attribute not set. See https://tailscale.com/kb/1223/tailscale-funnel/.")
+	}
+	return nil
 }
--- a/cmd/tailscale/cli/serve_test.go
+++ b/cmd/tailscale/cli/serve_test.go
@ -15,7 +15,6 @@ import (
 	"strings"
 	"testing"

-	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
@ -49,6 +48,30 @@ func TestCleanMountPoint(t *testing.T) {
 	}
 }

+func TestCheckHasAccess(t *testing.T) {
+	tests := []struct {
+		caps    []string
+		wantErr bool
+	}{
+		{[]string{}, true}, // No "funnel" attribute
+		{[]string{tailcfg.CapabilityWarnFunnelNoInvite}, true},
+		{[]string{tailcfg.CapabilityWarnFunnelNoHTTPS}, true},
+		{[]string{tailcfg.NodeAttrFunnel}, false},
+	}
+	for _, tt := range tests {
+		err := checkHasAccess(tt.caps)
+		switch {
+		case err != nil && tt.wantErr,
+			err == nil && !tt.wantErr:
+			continue
+		case tt.wantErr:
+			t.Fatalf("got no error, want error")
+		case !tt.wantErr:
+			t.Fatalf("got error %v, want no error", err)
+		}
+	}
+}
+
 func TestServeConfigMutations(t *testing.T) {
 	// Stateful mutations, starting from an empty config.
 	type step struct {
@ -57,8 +80,6 @@ func TestServeConfigMutations(t *testing.T) {
 		want    *ipn.ServeConfig               // non-nil means we want a save of this value
 		wantErr func(error) (badErrMsg string) // nil means no error is wanted
 		line    int                            // line number of addStep call, for error messages
-
-		debugBreak func()
 	}
 	var steps []step
 	add := func(s step) {
@ -69,19 +90,19 @@ func TestServeConfigMutations(t *testing.T) {
 	// funnel
 	add(step{reset: true})
 	add(step{
-		command: cmd("funnel 443 on"),
+		command: cmd("funnel on"),
 		want:    &ipn.ServeConfig{AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true}},
 	})
 	add(step{
-		command: cmd("funnel 443 on"),
+		command: cmd("funnel on"),
 		want:    nil, // nothing to save
 	})
 	add(step{
-		command: cmd("funnel 443 off"),
+		command: cmd("funnel off"),
 		want:    &ipn.ServeConfig{},
 	})
 	add(step{
-		command: cmd("funnel 443 off"),
+		command: cmd("funnel off"),
 		want:    nil, // nothing to save
 	})
 	add(step{
@ -91,77 +112,28 @@ func TestServeConfigMutations(t *testing.T) {

 	// https
 	add(step{reset: true})
-	add(step{ // allow omitting port (default to 80)
-		command: cmd("http / http://localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // support non Funnel port
-		command: cmd("http:9999 /abc http://localhost:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 9999: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
 	add(step{
-		command: cmd("http:9999 /abc off"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("http:8080 /abc http://127.0.0.1:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 8080: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8080": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-
-	// https
-	add(step{reset: true})
-	add(step{
-		command: cmd("https:443 / http://localhost:0"), // invalid port, too low
+		command: cmd("/ proxy 0"), // invalid port, too low
 		wantErr: anyErr(),
 	})
 	add(step{
-		command: cmd("https:443 / http://localhost:65536"), // invalid port, too high
+		command: cmd("/ proxy 65536"), // invalid port, too high
 		wantErr: anyErr(),
 	})
 	add(step{
-		command: cmd("https:443 / http://somehost:3000"), // invalid host
+		command: cmd("/ proxy somehost"), // invalid host
 		wantErr: anyErr(),
 	})
 	add(step{
-		command: cmd("https:443 / httpz://127.0.0.1"), // invalid scheme
+		command: cmd("/ proxy http://otherhost"), // invalid host
 		wantErr: anyErr(),
 	})
-	add(step{ // allow omitting port (default to 443)
-		command: cmd("https / http://localhost:3000"),
+	add(step{
+		command: cmd("/ proxy httpz://127.0.0.1"), // invalid scheme
+		wantErr: anyErr(),
+	})
+	add(step{
+		command: cmd("/ proxy 3000"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -171,33 +143,12 @@ func TestServeConfigMutations(t *testing.T) {
 			},
 		},
 	})
-	add(step{ // support non Funnel port
-		command: cmd("https:9999 /abc http://localhost:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 9999: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
+	add(step{ // invalid port
+		command: cmd("--serve-port=9999 /abc proxy 3001"),
+		wantErr: anyErr(),
 	})
 	add(step{
-		command: cmd("https:9999 /abc off"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("https:8443 /abc http://127.0.0.1:3001"),
+		command: cmd("--serve-port=8443 /abc proxy 3001"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -211,7 +162,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:10000 / text:hi"),
+		command: cmd("--serve-port=10000 / text hi"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
 				443: {HTTPS: true}, 8443: {HTTPS: true}, 10000: {HTTPS: true}},
@ -229,12 +180,12 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:443 /foo off"),
+		command: cmd("--remove /foo"),
 		want:    nil, // nothing to save
 		wantErr: anyErr(),
 	}) // handler doesn't exist, so we get an error
 	add(step{
-		command: cmd("https:10000 / off"),
+		command: cmd("--remove --serve-port=10000 /"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -248,7 +199,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:443 / off"),
+		command: cmd("--remove /"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{8443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -259,11 +210,11 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:8443 /abc off"),
+		command: cmd("--remove --serve-port=8443 /abc"),
 		want:    &ipn.ServeConfig{},
 	})
-	add(step{ // clean mount: "bar" becomes "/bar"
-		command: cmd("https:443 bar https://127.0.0.1:8443"),
+	add(step{
+		command: cmd("bar proxy https://127.0.0.1:8443"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -274,15 +225,12 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:443 bar https://127.0.0.1:8443"),
+		command: cmd("bar proxy https://127.0.0.1:8443"),
 		want:    nil, // nothing to save
 	})
-	add(step{ // try resetting using reset command
-		command: cmd("reset"),
-		want:    &ipn.ServeConfig{},
-	})
+	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 / https+insecure://127.0.0.1:3001"),
+		command: cmd("/ proxy https+insecure://127.0.0.1:3001"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -294,7 +242,7 @@ func TestServeConfigMutations(t *testing.T) {
 	})
 	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 /foo localhost:3000"),
+		command: cmd("/foo proxy localhost:3000"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -305,7 +253,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // test a second handler on the same port
-		command: cmd("https:8443 /foo localhost:3000"),
+		command: cmd("--serve-port=8443 /foo proxy localhost:3000"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -318,50 +266,19 @@ func TestServeConfigMutations(t *testing.T) {
 			},
 		},
 	})
-	add(step{reset: true})
-	add(step{ // support path in proxy
-		command: cmd("https / http://127.0.0.1:3000/foo/bar"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000/foo/bar"},
-				}},
-			},
-		},
-	})

 	// tcp
 	add(step{reset: true})
-	add(step{ // must include scheme for tcp
-		command: cmd("tls-terminated-tcp:443 localhost:5432"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
-	add(step{ // !somehost, must be localhost or 127.0.0.1
-		command: cmd("tls-terminated-tcp:443 tcp://somehost:5432"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
-	add(step{ // bad target port, too low
-		command: cmd("tls-terminated-tcp:443 tcp://somehost:0"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
-	add(step{ // bad target port, too high
-		command: cmd("tls-terminated-tcp:443 tcp://somehost:65536"),
-		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
-	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://localhost:5432"),
+		command: cmd("tcp 5432"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:5432",
-					TerminateTLS: "foo.test.ts.net",
-				},
+				443: {TCPForward: "127.0.0.1:5432"},
 			},
 		},
 	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://127.0.0.1:8443"),
+		command: cmd("tcp -terminate-tls 8443"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
 				443: {
@ -372,11 +289,11 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://127.0.0.1:8443"),
+		command: cmd("tcp -terminate-tls 8443"),
 		want:    nil, // nothing to save
 	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://localhost:8444"),
+		command: cmd("tcp --terminate-tls 8444"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
 				443: {
@ -387,41 +304,35 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://127.0.0.1:8445"),
+		command: cmd("tcp -terminate-tls=false 8445"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:8445",
-					TerminateTLS: "foo.test.ts.net",
-				},
+				443: {TCPForward: "127.0.0.1:8445"},
 			},
 		},
 	})
 	add(step{reset: true})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 tcp://localhost:123"),
+		command: cmd("tcp 123"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:123",
-					TerminateTLS: "foo.test.ts.net",
-				},
+				443: {TCPForward: "127.0.0.1:123"},
 			},
 		},
 	})
-	add(step{ // handler doesn't exist, so we get an error
-		command: cmd("tls-terminated-tcp:8443 off"),
-		wantErr: anyErr(),
-	})
 	add(step{
-		command: cmd("tls-terminated-tcp:443 off"),
+		command: cmd("--remove tcp 321"),
+		wantErr: anyErr(),
+	}) // handler doesn't exist, so we get an error
+	add(step{
+		command: cmd("--remove tcp 123"),
 		want:    &ipn.ServeConfig{},
 	})

 	// text
 	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 / text:hello"),
+		command: cmd("/ text hello"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -442,7 +353,7 @@ func TestServeConfigMutations(t *testing.T) {
 	add(step{reset: true})
 	writeFile("foo", "this is foo")
 	add(step{
-		command: cmd("https:443 / " + filepath.Join(td, "foo")),
+		command: cmd("/ path " + filepath.Join(td, "foo")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -455,7 +366,7 @@ func TestServeConfigMutations(t *testing.T) {
 	os.MkdirAll(filepath.Join(td, "subdir"), 0700)
 	writeFile("subdir/file-a", "this is A")
 	add(step{
-		command: cmd("https:443 /some/where " + filepath.Join(td, "subdir/file-a")),
+		command: cmd("/some/where path " + filepath.Join(td, "subdir/file-a")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -466,13 +377,13 @@ func TestServeConfigMutations(t *testing.T) {
 			},
 		},
 	})
-	add(step{ // bad path
-		command: cmd("https:443 / bad/path"),
+	add(step{
+		command: cmd("/ path missing"),
 		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 / " + filepath.Join(td, "subdir")),
+		command: cmd("/ path " + filepath.Join(td, "subdir")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -483,14 +394,14 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("https:443 / off"),
+		command: cmd("--remove /"),
 		want:    &ipn.ServeConfig{},
 	})

 	// combos
 	add(step{reset: true})
 	add(step{
-		command: cmd("https:443 / localhost:3000"),
+		command: cmd("/ proxy 3000"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -501,7 +412,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{
-		command: cmd("funnel 443 on"),
+		command: cmd("funnel on"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
@ -513,7 +424,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // serving on secondary port doesn't change funnel
-		command: cmd("https:8443 /bar localhost:3001"),
+		command: cmd("--serve-port=8443 /bar proxy 3001"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
@ -528,7 +439,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // turn funnel on for secondary port
-		command: cmd("funnel 8443 on"),
+		command: cmd("--serve-port=8443 funnel on"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true, "foo.test.ts.net:8443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
@ -543,7 +454,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // turn funnel off for primary port 443
-		command: cmd("funnel 443 off"),
+		command: cmd("funnel off"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
@ -558,7 +469,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // remove secondary port
-		command: cmd("https:8443 /bar off"),
+		command: cmd("--serve-port=8443 --remove /bar"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
@ -570,7 +481,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // start a tcp forwarder on 8443
-		command: cmd("tcp:8443 tcp://localhost:5432"),
+		command: cmd("--serve-port=8443 tcp 5432"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {TCPForward: "127.0.0.1:5432"}},
@ -582,27 +493,27 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // remove primary port http handler
-		command: cmd("https:443 / off"),
+		command: cmd("--remove /"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
 			TCP:         map[uint16]*ipn.TCPPortHandler{8443: {TCPForward: "127.0.0.1:5432"}},
 		},
 	})
 	add(step{ // remove tcp forwarder
-		command: cmd("tls-terminated-tcp:8443 off"),
+		command: cmd("--serve-port=8443 --remove tcp 5432"),
 		want: &ipn.ServeConfig{
 			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
 		},
 	})
 	add(step{ // turn off funnel
-		command: cmd("funnel 8443 off"),
+		command: cmd("--serve-port=8443 funnel off"),
 		want:    &ipn.ServeConfig{},
 	})

 	// tricky steps
 	add(step{reset: true})
 	add(step{ // a directory with a trailing slash mount point
-		command: cmd("https:443 /dir " + filepath.Join(td, "subdir")),
+		command: cmd("/dir path " + filepath.Join(td, "subdir")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -613,7 +524,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // this should overwrite the previous one
-		command: cmd("https:443 /dir " + filepath.Join(td, "foo")),
+		command: cmd("/dir path " + filepath.Join(td, "foo")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -625,7 +536,7 @@ func TestServeConfigMutations(t *testing.T) {
 	})
 	add(step{reset: true}) // reset and do the opposite
 	add(step{              // a file without a trailing slash mount point
-		command: cmd("https:443 /dir " + filepath.Join(td, "foo")),
+		command: cmd("/dir path " + filepath.Join(td, "foo")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -636,7 +547,7 @@ func TestServeConfigMutations(t *testing.T) {
 		},
 	})
 	add(step{ // this should overwrite the previous one
-		command: cmd("https:443 /dir " + filepath.Join(td, "subdir")),
+		command: cmd("/dir path " + filepath.Join(td, "subdir")),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -649,24 +560,37 @@ func TestServeConfigMutations(t *testing.T) {

 	// error states
 	add(step{reset: true})
+	add(step{ // make sure we can't add "tcp" as if it was a mount
+		command: cmd("tcp text foo"),
+		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
+	})
+	add(step{ // "/tcp" is fine though as a mount
+		command: cmd("/tcp text foo"),
+		want: &ipn.ServeConfig{
+			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
+			Web: map[ipn.HostPort]*ipn.WebServerConfig{
+				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
+					"/tcp": {Text: "foo"},
+				}},
+			},
+		},
+	})
+	add(step{reset: true})
 	add(step{ // tcp forward 5432 on serve port 443
-		command: cmd("tls-terminated-tcp:443 tcp://localhost:5432"),
+		command: cmd("tcp 5432"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:5432",
-					TerminateTLS: "foo.test.ts.net",
-				},
+				443: {TCPForward: "127.0.0.1:5432"},
 			},
 		},
 	})
 	add(step{ // try to start a web handler on the same port
-		command: cmd("https:443 / localhost:3000"),
+		command: cmd("/ proxy 3000"),
 		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 	add(step{reset: true})
 	add(step{ // start a web handler on port 443
-		command: cmd("https:443 / localhost:3000"),
+		command: cmd("/ proxy 3000"),
 		want: &ipn.ServeConfig{
 			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 			Web: map[ipn.HostPort]*ipn.WebServerConfig{
@ -676,17 +600,14 @@ func TestServeConfigMutations(t *testing.T) {
 			},
 		},
 	})
-	add(step{ // try to start a tcp forwarder on the same serve port
-		command: cmd("tls-terminated-tcp:443 tcp://localhost:5432"),
+	add(step{ // try to start a tcp forwarder on the same serve port (443 default)
+		command: cmd("tcp 5432"),
 		wantErr: anyErr(),
 	})

 	lc := &fakeLocalServeClient{}
 	// And now run the steps above.
 	for i, st := range steps {
-		if st.debugBreak != nil {
-			st.debugBreak()
-		}
 		if st.reset {
 			t.Logf("Executing step #%d, line %v: [reset]", i, st.line)
 			lc.config = nil
@ -704,16 +625,8 @@ func TestServeConfigMutations(t *testing.T) {
 			testStdout:  &stdout,
 		}
 		lastCount := lc.setCount
-		var cmd *ffcli.Command
-		var args []string
-		if st.command[0] == "funnel" {
-			cmd = newFunnelCommand(e)
-			args = st.command[1:]
-		} else {
-			cmd = newServeCommand(e)
-			args = st.command
-		}
-		err := cmd.ParseAndRun(context.Background(), args)
+		cmd := newServeCommand(e)
+		err := cmd.ParseAndRun(context.Background(), st.command)
 		if flagOut.Len() > 0 {
 			t.Logf("flag package output: %q", flagOut.Bytes())
 		}
@ -764,7 +677,7 @@ var fakeStatus = &ipnstate.Status{
 	BackendState: ipn.Running.String(),
 	Self: &ipnstate.PeerStatus{
 		DNSName:      "foo.test.ts.net",
-		Capabilities: []string{tailcfg.NodeAttrFunnel, tailcfg.CapabilityFunnelPorts + "?ports=443,8443"},
+		Capabilities: []string{tailcfg.NodeAttrFunnel},
 	},
 }

@ -804,5 +717,7 @@ func anyErr() func(error) string {
 }

 func cmd(s string) []string {
-	return strings.Fields(s)
+	cmds := strings.Fields(s)
+	fmt.Printf("cmd: %v", cmds)
+	return cmds
 }
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@ -258,7 +258,6 @@ func printFunnelStatus(ctx context.Context) {
 		}
 		printf("#     - %s\n", url)
 	}
-	outln()
 }

 // isRunningOrStarting reports whether st is in state Running or Starting.
@ -276,7 +275,7 @@ func isRunningOrStarting(st *ipnstate.Status) (description string, ok bool) {
 		}
 		return s, false
 	case ipn.NeedsMachineAuth.String():
-		return "Machine is not yet approved by tailnet admin.", false
+		return "Machine is not yet authorized by tailnet admin.", false
 	case ipn.Running.String(), ipn.Starting.String():
 		return st.BackendState, true
 	}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@ -13,13 +13,11 @@ import (
 	"fmt"
 	"log"
 	"net/netip"
-	"net/url"
 	"os"
 	"os/signal"
 	"reflect"
 	"runtime"
 	"sort"
-	"strconv"
 	"strings"
 	"sync"
 	"syscall"
@ -28,9 +26,6 @@ import (
 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
-	"golang.org/x/oauth2/clientcredentials"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/envknob"
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@ -39,7 +34,6 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/preftype"
-	"tailscale.com/util/dnsname"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@ -326,8 +320,8 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		}
 	}

-	if err := dnsname.ValidHostname(upArgs.hostname); upArgs.hostname != "" && err != nil {
-		return nil, err
+	if len(upArgs.hostname) > 256 {
+		return nil, fmt.Errorf("hostname too long: %d bytes (max 256)", len(upArgs.hostname))
 	}

 	prefs := ipn.NewPrefs()
@ -415,12 +409,6 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 		return false, nil, err
 	}

-	if env.upArgs.forceReauth && isSSHOverTailscale() {
-		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will result in your SSH session disconnecting.`, env.upArgs.acceptedRisks); err != nil {
-			return false, nil, err
-		}
-	}
-
 	tagsChanged := !reflect.DeepEqual(curPrefs.AdvertiseTags, prefs.AdvertiseTags)

 	simpleUp = env.flagSet.NFlag() == 0 &&
@ -596,7 +584,7 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 					if env.upArgs.json {
 						printUpDoneJSON(ipn.NeedsMachineAuth, "")
 					} else {
-						fmt.Fprintf(Stderr, "\nTo approve your machine, visit (as admin):\n\n\t%s\n\n", prefs.AdminPageURL())
+						fmt.Fprintf(Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s\n\n", prefs.AdminPageURL())
 					}
 				case ipn.Running:
 					// Done full authentication process
@ -668,10 +656,6 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 		if err != nil {
 			return err
 		}
-		authKey, err = resolveAuthKey(ctx, authKey, upArgs.advertiseTags)
-		if err != nil {
-			return err
-		}
 		if err := localClient.Start(ctx, ipn.Options{
 			AuthKey:     authKey,
 			UpdatePrefs: prefs,
@ -1111,96 +1095,3 @@ func anyPeerAdvertisingRoutes(st *ipnstate.Status) bool {
 	}
 	return false
 }
-
-func init() {
-	// Required to use our client API. We're fine with the instability since the
-	// client lives in the same repo as this code.
-	tailscale.I_Acknowledge_This_API_Is_Unstable = true
-}
-
-// resolveAuthKey either returns v unchanged (in the common case) or, if it
-// starts with "tskey-client-" (as Tailscale OAuth secrets do) parses it like
-//
-//	tskey-client-xxxx[?ephemeral=false&bar&preauthorized=BOOL&baseURL=...]
-//
-// and does the OAuth2 dance to get and return an authkey. The "ephemeral"
-// property defaults to true if unspecified. The "preauthorized" defaults to
-// false. The "baseURL" defaults to https://api.tailscale.com.
-// The passed in tags are required, and must be non-empty. These will be
-// set on the authkey generated by the OAuth2 dance.
-func resolveAuthKey(ctx context.Context, v, tags string) (string, error) {
-	if !strings.HasPrefix(v, "tskey-client-") {
-		return v, nil
-	}
-	if !envknob.Bool("TS_EXPERIMENT_OAUTH_AUTHKEY") {
-		return "", errors.New("oauth authkeys are in experimental status")
-	}
-	if tags == "" {
-		return "", errors.New("oauth authkeys require --advertise-tags")
-	}
-
-	clientSecret, named, _ := strings.Cut(v, "?")
-	attrs, err := url.ParseQuery(named)
-	if err != nil {
-		return "", err
-	}
-	for k := range attrs {
-		switch k {
-		case "ephemeral", "preauthorized", "baseURL":
-		default:
-			return "", fmt.Errorf("unknown attribute %q", k)
-		}
-	}
-	getBool := func(name string, def bool) (bool, error) {
-		v := attrs.Get(name)
-		if v == "" {
-			return def, nil
-		}
-		ret, err := strconv.ParseBool(v)
-		if err != nil {
-			return false, fmt.Errorf("invalid attribute boolean attribute %s value %q", name, v)
-		}
-		return ret, nil
-	}
-	ephemeral, err := getBool("ephemeral", true)
-	if err != nil {
-		return "", err
-	}
-	preauth, err := getBool("preauthorized", false)
-	if err != nil {
-		return "", err
-	}
-
-	baseURL := "https://api.tailscale.com"
-	if v := attrs.Get("baseURL"); v != "" {
-		baseURL = v
-	}
-
-	credentials := clientcredentials.Config{
-		ClientID:     "some-client-id", // ignored
-		ClientSecret: clientSecret,
-		TokenURL:     baseURL + "/api/v2/oauth/token",
-		Scopes:       []string{"device"},
-	}
-
-	tsClient := tailscale.NewClient("-", nil)
-	tsClient.HTTPClient = credentials.Client(ctx)
-	tsClient.BaseURL = baseURL
-
-	caps := tailscale.KeyCapabilities{
-		Devices: tailscale.KeyDeviceCapabilities{
-			Create: tailscale.KeyDeviceCreateCapabilities{
-				Reusable:      false,
-				Ephemeral:     ephemeral,
-				Preauthorized: preauth,
-				Tags:          strings.Split(tags, ","),
-			},
-		},
-	}
-
-	authkey, _, err := tsClient.CreateKey(ctx, caps)
-	if err != nil {
-		return "", err
-	}
-	return authkey, nil
-}
--- a/cmd/tailscale/cli/update.go
+++ b/cmd/tailscale/cli/update.go
@ -145,11 +145,11 @@ func newUpdater() (*updater, error) {
 		case strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
 			up.update = up.updateMacSys
 		default:
-			return nil, errors.New("This is the macOS App Store version of Tailscale; update in the App Store, or see https://tailscale.com/s/unstable-clients to use TestFlight or to install the non-App Store version")
+			return nil, errors.New("This is the macOS App Store version of Tailscale; update in the App Store, or see https://tailscale.com/kb/1083/install-unstable/ to use TestFlight or to install the non-App Store version")
 		}
 	}
 	if up.update == nil {
-		return nil, errors.New("The 'update' command is not supported on this platform; see https://tailscale.com/s/client-updates")
+		return nil, errors.New("The 'update' command is not supported on this platform; see https://tailscale.com/kb/1067/update/")
 	}
 	return up, nil
 }
@ -160,12 +160,12 @@ type updater struct {
 }

 func (up *updater) currentOrDryRun(ver string) bool {
-	if version.Short() == ver {
+	if version.Short == ver {
 		fmt.Printf("already running %v; no update needed\n", ver)
 		return true
 	}
 	if updateArgs.dryRun {
-		fmt.Printf("Current: %v, Latest: %v\n", version.Short(), ver)
+		fmt.Printf("Current: %v, Latest: %v\n", version.Short, ver)
 		return true
 	}
 	return false
@ -173,11 +173,11 @@ func (up *updater) currentOrDryRun(ver string) bool {

 func (up *updater) confirm(ver string) error {
 	if updateArgs.yes {
-		log.Printf("Updating Tailscale from %v to %v; --yes given, continuing without prompts.\n", version.Short(), ver)
+		log.Printf("Updating Tailscale from %v to %v; --yes given, continuing without prompts.\n", version.Short, ver)
 		return nil
 	}

-	fmt.Printf("This will update Tailscale from %v to %v. Continue? [y/n] ", version.Short(), ver)
+	fmt.Printf("This will update Tailscale from %v to %v. Continue? [y/n] ", version.Short, ver)
 	var resp string
 	fmt.Scanln(&resp)
 	resp = strings.ToLower(resp)
@ -430,7 +430,7 @@ func installMSI(msi string) error {
 		if err == nil {
 			break
 		}
-		uninstallVersion := version.Short()
+		uninstallVersion := version.Short
 		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
 			uninstallVersion = v
 		}
--- a/cmd/tailscale/cli/web.css
+++ b/cmd/tailscale/cli/web.css
@ -1286,28 +1286,6 @@ html {
 	color: rgba(25, 34, 74, var(--text-opacity));
 }

-.link-underline {
-	text-decoration: underline;
-}
-
-.link-underline:hover,
-.link-underline:active {
-	text-decoration: none;
-}
-
-.link-muted {
-	/* same as text-gray-500 */
-	--tw-text-opacity: 1;
-	color: rgba(112, 110, 109, var(--tw-text-opacity));
-}
-
-.link-muted:hover,
-.link-muted:active {
-	/* same as text-gray-500 */
-	--tw-text-opacity: 1;
-	color: rgba(68, 67, 66, var(--tw-text-opacity));
-}
-
 .button {
 	font-weight: 500;
 	padding-top: 0.45rem;
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@ -29,7 +29,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/groupmember"
 	"tailscale.com/version/distro"
 )
@ -61,17 +60,6 @@ type tmplData struct {
 	LicensesURL       string
 	TUNMode           bool
 	IsSynology        bool
-	DSMVersion        int // 6 or 7, if IsSynology=true
-	IsUnraid          bool
-	UnraidToken       string
-	IPNVersion        string
-}
-
-type postedData struct {
-	AdvertiseRoutes   string
-	AdvertiseExitNode bool
-	Reauthenticate    bool
-	ForceLogout       bool
 }

 var webCmd = &ffcli.Command{
@ -145,7 +133,7 @@ func runWeb(ctx context.Context, args []string) error {
 			Handler:   http.HandlerFunc(webHandler),
 		}

-		log.Printf("web server running on: https://%s", server.Addr)
+		log.Printf("web server runNIng on: https://%s", server.Addr)
 		return server.ListenAndServeTLS("", "")
 	} else {
 		log.Printf("web server running on: %s", urlOfListenAddr(webArgs.listen))
@ -156,7 +144,10 @@ func runWeb(ctx context.Context, args []string) error {
 // urlOfListenAddr parses a given listen address into a formatted URL
 func urlOfListenAddr(addr string) string {
 	host, port, _ := net.SplitHostPort(addr)
-	return fmt.Sprintf("http://%s", net.JoinHostPort(cmpx.Or(host, "127.0.0.1"), port))
+	if host == "" {
+		host = "127.0.0.1"
+	}
+	return fmt.Sprintf("http://%s", net.JoinHostPort(host, port))
 }

 // authorize returns the name of the user accessing the web UI after verifying
@ -228,48 +219,33 @@ func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
 	return "", nil, fmt.Errorf("not authenticated by any mechanism")
 }

-// qnapAuthnURL returns the auth URL to use by inferring where the UI is
-// running based on the request URL. This is necessary because QNAP has so
-// many options, see https://github.com/tailscale/tailscale/issues/7108
-// and https://github.com/tailscale/tailscale/issues/6903
-func qnapAuthnURL(requestUrl string, query url.Values) string {
-	in, err := url.Parse(requestUrl)
-	scheme := ""
-	host := ""
-	if err != nil || in.Scheme == "" {
-		log.Printf("Cannot parse QNAP login URL %v", err)
-
-		// try localhost and hope for the best
-		scheme = "http"
-		host = "localhost"
-	} else {
-		scheme = in.Scheme
-		host = in.Host
-	}
-
-	u := url.URL{
-		Scheme:   scheme,
-		Host:     host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-
-	return u.String()
-}
-
 func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
 	query := url.Values{
 		"qtoken": []string{token},
 		"user":   []string{user},
 	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+	u := url.URL{
+		Scheme:   "http",
+		Host:     "127.0.0.1:8080",
+		Path:     "/cgi-bin/authLogin.cgi",
+		RawQuery: query.Encode(),
+	}
+
+	return qnapAuthnFinish(user, u.String())
 }

 func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
 	query := url.Values{
 		"sid": []string{sid},
 	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+	u := url.URL{
+		Scheme:   "http",
+		Host:     "127.0.0.1:8080",
+		Path:     "/cgi-bin/authLogin.cgi",
+		RawQuery: query.Encode(),
+	}
+
+	return qnapAuthnFinish(user, u.String())
 }

 func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
@ -377,7 +353,11 @@ func webHandler(w http.ResponseWriter, r *http.Request) {

 	if r.Method == "POST" {
 		defer r.Body.Close()
-		var postData postedData
+		var postData struct {
+			AdvertiseRoutes   string
+			AdvertiseExitNode bool
+			Reauthenticate    bool
+		}
 		type mi map[string]any
 		if err := json.NewDecoder(r.Body).Decode(&postData); err != nil {
 			w.WriteHeader(400)
@ -406,15 +386,8 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		}

 		w.Header().Set("Content-Type", "application/json")
-		var reauth, logout bool
-		if postData.Reauthenticate {
-			reauth = true
-		}
-		if postData.ForceLogout {
-			logout = true
-		}
-		log.Printf("tailscaleUp(reauth=%v, logout=%v) ...", reauth, logout)
-		url, err := tailscaleUp(r.Context(), st, postData)
+		log.Printf("tailscaleUp(reauth=%v) ...", postData.Reauthenticate)
+		url, err := tailscaleUp(r.Context(), st, postData.Reauthenticate)
 		log.Printf("tailscaleUp = (URL %v, %v)", url != "", err)
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
@ -431,7 +404,6 @@ func webHandler(w http.ResponseWriter, r *http.Request) {

 	profile := st.User[st.Self.UserID]
 	deviceName := strings.Split(st.Self.DNSName, ".")[0]
-	versionShort := strings.Split(st.Version, "-")[0]
 	data := tmplData{
 		SynologyUser: user,
 		Profile:      profile,
@ -440,10 +412,6 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		LicensesURL:  licensesURL(),
 		TUNMode:      st.TUN,
 		IsSynology:   distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
-		DSMVersion:   distro.DSMVersion(),
-		IsUnraid:     distro.Get() == distro.Unraid,
-		UnraidToken:  os.Getenv("UNRAID_CSRF_TOKEN"),
-		IPNVersion:   versionShort,
 	}
 	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
 	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
@ -469,18 +437,10 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 	w.Write(buf.Bytes())
 }

-func tailscaleUp(ctx context.Context, st *ipnstate.Status, postData postedData) (authURL string, retErr error) {
-	if postData.ForceLogout {
-		if err := localClient.Logout(ctx); err != nil {
-			return "", fmt.Errorf("Logout error: %w", err)
-		}
-		return "", nil
-	}
-
+func tailscaleUp(ctx context.Context, st *ipnstate.Status, forceReauth bool) (authURL string, retErr error) {
 	origAuthURL := st.AuthURL
 	isRunning := st.BackendState == ipn.Running.String()

-	forceReauth := postData.Reauthenticate
 	if !forceReauth {
 		if origAuthURL != "" {
 			return origAuthURL, nil
--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
@ -26,14 +26,10 @@
 			<circle opacity="0.2" cx="19.5" cy="19.5" r="2.7" fill="currentColor"></circle>
 		</svg>
 		<div class="flex items-center justify-end space-x-2 w-2/3">
-			{{ with .Profile }}
-			<div class="text-right w-full leading-4">
-				<h4 class="truncate leading-normal">{{.LoginName}}</h4>
-				<div class="text-xs text-gray-500 text-right">
-					<a href="#" class="hover:text-gray-700 js-loginButton">Switch account</a> | <a href="#"
-						class="hover:text-gray-700 js-loginButton">Reauthenticate</a> | <a href="#"
-						class="hover:text-gray-700 js-logoutButton">Logout</a>
-				</div>
+			{{ with .Profile.LoginName }}
+			<div class="text-right truncate leading-4">
+				<h4 class="truncate leading-normal">{{.}}</h4>
+				<a href="#" class="text-xs text-gray-500 hover:text-gray-700 js-loginButton">Switch account</a>
 			</div>
 			{{ end }}
 			<div class="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
@ -48,7 +44,7 @@
 	</header>
 	{{ if .IP }}
 	<div
-		class="border border-gray-200 bg-gray-0 rounded-md p-2 pl-3 pr-3 width-full flex items-center justify-between">
+		class="border border-gray-200 bg-gray-0 rounded-lg p-2 pl-3 pr-3 mb-8 width-full flex items-center justify-between">
 		<div class="flex items-center min-width-0">
 			<svg class="flex-shrink-0 text-gray-600 mr-3 ml-1" xmlns="http://www.w3.org/2000/svg" width="20" height="20"
 				viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
@ -58,21 +54,10 @@
 				<line x1="6" y1="6" x2="6.01" y2="6"></line>
 				<line x1="6" y1="18" x2="6.01" y2="18"></line>
 			</svg>
-			<div>
-				<h4 class="font-semibold truncate mr-2">{{.DeviceName}}</h4>
-			</div>
+			<h4 class="font-semibold truncate mr-2">{{.DeviceName}}</h4>
 		</div>
 		<h5>{{.IP}}</h5>
 	</div>
-	<p class="mt-1 ml-1 mb-6 text-xs text-gray-600">
-		Debug info: Tailscale {{ .IPNVersion }}, tun={{.TUNMode}}{{ if .IsSynology }}, DSM{{ .DSMVersion}}
-			{{if not .TUNMode}}
-			(<a href="https://tailscale.com/kb/1152/synology-outbound/" class="link-underline text-gray-600" target="_blank"
-				aria-label="Configure outbound synology traffic"
-				rel="noopener noreferrer">outgoing access not configured</a>)
-			{{end}}
-		{{end}}
-	</p>
 	{{ end }}
 	{{ if or (eq .Status "NeedsLogin") (eq .Status "NoState") }}
 	{{ if .IP }}
@ -110,21 +95,30 @@
 		{{end}}
 	</a>
 	</div>
+	<div class="mb-4">
+		<a href="#" class="mb-4 link font-medium js-loginButton" target="_blank">Reauthenticate</a>
+	</div>
+	{{ if .IsSynology }}
+		<div class="border border-gray-200 bg-orange-0 rounded-lg p-2 pl-3 pr-3 mb-8 width-full text-orange-800">
+			Outgoing access {{ if .TUNMode }}enabled{{ else }}not configured{{ end }}.
+			<nobr><a href="https://tailscale.com/kb/1152/synology-outbound/"
+				class="font-medium link"
+				target="_blank"
+				rel="noopener noreferrer">Learn more &rarr;</a></nobr>
+		</div>
+	{{ end }}
 	{{ end }}
 </main>
 <footer class="container max-w-lg mx-auto text-center">
 	<a class="text-xs text-gray-500 hover:text-gray-600" href="{{ .LicensesURL }}">Open Source Licenses</a>
 </footer>
 <script>(function () {
-const advertiseExitNode = {{ .AdvertiseExitNode }};
-const isUnraid = {{ .IsUnraid }};
-const unraidCsrfToken = "{{ .UnraidToken }}";
+const advertiseExitNode = {{.AdvertiseExitNode}};
 let fetchingUrl = false;
 var data = {
-	AdvertiseRoutes: "{{ .AdvertiseRoutes }}",
+	AdvertiseRoutes: "{{.AdvertiseRoutes}}",
 	AdvertiseExitNode: advertiseExitNode,
-	Reauthenticate: false,
-	ForceLogout: false
+	Reauthenticate: false
 };

 function postData(e) {
@ -143,27 +137,15 @@ function postData(e) {
 	}
 	const nextUrl = new URL(window.location);
 	nextUrl.search = nextParams.toString()
-
-	let body = JSON.stringify(data);
-	let contentType = "application/json";
-
-	if (isUnraid) {
-		const params = new URLSearchParams();
-		params.append("csrf_token", unraidCsrfToken);
-		params.append("ts_data", JSON.stringify(data));
-
-		body = params.toString();
-		contentType = "application/x-www-form-urlencoded;charset=UTF-8";
-	}
-
 	const url = nextUrl.toString();
+
 	fetch(url, {
 		method: "POST",
 		headers: {
 			"Accept": "application/json",
-			"Content-Type": contentType,
+			"Content-Type": "application/json",
 		},
-		body: body
+		body: JSON.stringify(data)
 	}).then(res => res.json()).then(res => {
 		fetchingUrl = false;
 		const err = res["error"];
@ -172,32 +154,22 @@ function postData(e) {
 		}
 		const url = res["url"];
 		if (url) {
-			if(isUnraid) {
-				window.open(url, "_blank");
-			} else {
-				document.location.href = url;
-			}
+			document.location.href = url;
 		} else {
 			location.reload();
 		}
 	}).catch(err => {
-		alert("Failed operation: " + err.message);
+		alert("Failed to log in: " + err.message);
 	});
 }

-document.querySelectorAll(".js-loginButton").forEach(function (el){
+Array.from(document.querySelectorAll(".js-loginButton")).forEach(el => {
 	el.addEventListener("click", function(e) {
 		data.Reauthenticate = true;
 		postData(e);
 	});
 })
-document.querySelectorAll(".js-logoutButton").forEach(function(el) {
-	el.addEventListener("click", function (e) {
-		data.ForceLogout = true;
-		postData(e);
-	});
-})
-document.querySelectorAll(".js-advertiseExitNode").forEach(function (el) {
+Array.from(document.querySelectorAll(".js-advertiseExitNode")).forEach(el => {
 	el.addEventListener("click", function(e) {
 		data.AdvertiseExitNode = !advertiseExitNode;
 		postData(e);
--- a/cmd/tailscale/cli/web_test.go
+++ b/cmd/tailscale/cli/web_test.go
@ -3,10 +3,7 @@

 package cli

-import (
-	"net/url"
-	"testing"
-)
+import "testing"

 func TestUrlOfListenAddr(t *testing.T) {
 	tests := []struct {
@ -37,64 +34,9 @@ func TestUrlOfListenAddr(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			u := urlOfListenAddr(tt.in)
-			if u != tt.want {
-				t.Errorf("expected url: %q, got: %q", tt.want, u)
-			}
-		})
-	}
-}
-
-func TestQnapAuthnURL(t *testing.T) {
-	query := url.Values{
-		"qtoken": []string{"token"},
-	}
-	tests := []struct {
-		name string
-		in   string
-		want string
-	}{
-		{
-			name: "localhost http",
-			in:   "http://localhost:8088/",
-			want: "http://localhost:8088/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "localhost https",
-			in:   "https://localhost:5000/",
-			want: "https://localhost:5000/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "IP http",
-			in:   "http://10.1.20.4:80/",
-			want: "http://10.1.20.4:80/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "IP6 https",
-			in:   "https://[ff7d:0:1:2::1]/",
-			want: "https://[ff7d:0:1:2::1]/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "hostname https",
-			in:   "https://qnap.example.com/",
-			want: "https://qnap.example.com/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "invalid URL",
-			in:   "This is not a URL, it is a really really really really really really really really really really really really long string to exercise the URL truncation code in the error path.",
-			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "err != nil",
-			in:   "http://192.168.0.%31/",
-			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			u := qnapAuthnURL(tt.in, query)
-			if u != tt.want {
-				t.Errorf("expected url: %q, got: %q", tt.want, u)
+			url := urlOfListenAddr(tt.in)
+			if url != tt.want {
+				t.Errorf("expected url: %q, got: %q", tt.want, url)
 			}
 		})
 	}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@ -3,26 +3,17 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
        filippo.io/edwards25519/field                                from filippo.io/edwards25519
   W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
-   W 💣 github.com/Microsoft/go-winio/internal/fs                    from github.com/Microsoft/go-winio
   W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
-   W    github.com/Microsoft/go-winio/internal/stringbuffer          from github.com/Microsoft/go-winio/internal/fs
   W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
-   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
-   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
-   L    github.com/google/nftables/expr                              from github.com/google/nftables+
-   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
-   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/google/uuid                                       from tailscale.com/util/quarantine+
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
@ -30,7 +21,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 github.com/mattn/go-isatty                                   from github.com/mattn/go-colorable+
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli+
        github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
@ -44,35 +34,15 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
-   L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
-   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
-   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
     💣 go4.org/mem                                                  from tailscale.com/derp+
        go4.org/netipx                                               from tailscale.com/wgengine/filter
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
-        gopkg.in/yaml.v2                                             from sigs.k8s.io/yaml
-   L    gvisor.dev/gvisor/pkg/abi                                    from gvisor.dev/gvisor/pkg/abi/linux
-   L 💣 gvisor.dev/gvisor/pkg/abi/linux                              from tailscale.com/util/linuxfw
-   L    gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/abi/linux
-   L    gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/abi/linux
-   L 💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/abi/linux+
-   L 💣 gvisor.dev/gvisor/pkg/hostarch                               from gvisor.dev/gvisor/pkg/abi/linux+
-   L    gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
-   L    gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context
-   L    gvisor.dev/gvisor/pkg/marshal                                from gvisor.dev/gvisor/pkg/abi/linux+
-   L 💣 gvisor.dev/gvisor/pkg/marshal/primitive                      from gvisor.dev/gvisor/pkg/abi/linux
-   L 💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/abi/linux+
-   L    gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
-   L 💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
-   L    gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context
-        k8s.io/client-go/util/homedir                                from tailscale.com/cmd/tailscale/cli
        nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
-        sigs.k8s.io/yaml                                             from tailscale.com/cmd/tailscale/cli
        software.sslmate.com/src/go-pkcs12                           from tailscale.com/cmd/tailscale/cli
        software.sslmate.com/src/go-pkcs12/internal/rc2              from software.sslmate.com/src/go-pkcs12
        tailscale.com                                                from tailscale.com/version
@ -101,15 +71,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
        tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
        tailscale.com/net/netknob                                    from tailscale.com/net/netns
-        tailscale.com/net/netmon                                     from tailscale.com/net/sockstats+
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
-        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter+
+        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
-        tailscale.com/net/sockstats                                  from tailscale.com/control/controlhttp+
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck
-   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
        tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
@ -121,12 +88,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
        tailscale.com/types/empty                                    from tailscale.com/ipn
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
        tailscale.com/types/key                                      from tailscale.com/derp+
-        tailscale.com/types/lazy                                     from tailscale.com/version+
        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
        tailscale.com/types/nettype                                  from tailscale.com/net/netcheck+
@ -140,20 +106,17 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-        tailscale.com/util/cmpx                                      from tailscale.com/cmd/tailscale/cli+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
-   L 💣 tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
        tailscale.com/util/mak                                       from tailscale.com/net/netcheck+
        tailscale.com/util/multierr                                  from tailscale.com/control/controlhttp+
        tailscale.com/util/must                                      from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/quarantine                                from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-        tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
     💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
@ -173,7 +136,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/maps                                        from tailscale.com/types/views
        golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@ -183,12 +145,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
        golang.org/x/net/ipv4                                        from golang.org/x/net/icmp+
-        golang.org/x/net/ipv6                                        from golang.org/x/net/icmp+
+        golang.org/x/net/ipv6                                        from golang.org/x/net/icmp
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
-        golang.org/x/oauth2                                          from golang.org/x/oauth2/clientcredentials
-        golang.org/x/oauth2/clientcredentials                        from tailscale.com/cmd/tailscale/cli
-        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
        golang.org/x/sync/errgroup                                   from tailscale.com/derp+
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
  LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+
@ -205,7 +164,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        bytes                                                        from bufio+
        compress/flate                                               from compress/gzip+
        compress/gzip                                                from net/http
-        compress/zlib                                                from image/png+
+        compress/zlib                                                from image/png
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdsa+
@ -230,8 +189,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
        database/sql/driver                                          from github.com/google/uuid
-   L    debug/dwarf                                                  from debug/elf
-   L    debug/elf                                                    from golang.org/x/sys/unix
        embed                                                        from tailscale.com/cmd/tailscale/cli+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@ -259,7 +216,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from golang.org/x/sys/cpu+
        log                                                          from expvar+
-        log/internal                                                 from log
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
--- a/cmd/tailscale/generate.go
+++ b/cmd/tailscale/generate.go
@ -6,3 +6,4 @@ package main
 //go:generate go run tailscale.com/cmd/mkmanifest amd64 windows-manifest.xml manifest_windows_amd64.syso
 //go:generate go run tailscale.com/cmd/mkmanifest 386 windows-manifest.xml manifest_windows_386.syso
 //go:generate go run tailscale.com/cmd/mkmanifest arm64 windows-manifest.xml manifest_windows_arm64.syso
+//go:generate go run tailscale.com/cmd/mkmanifest arm windows-manifest.xml manifest_windows_arm.syso
--- a/cmd/tailscale/manifest_windows_arm.syso
+++ b/cmd/tailscale/manifest_windows_arm.syso
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@ -14,19 +14,25 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"net"
 	"net/http"
 	"net/http/httptrace"
+	"net/netip"
 	"net/url"
 	"os"
+	"strings"
 	"time"

 	"tailscale.com/derp/derphttp"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/net/netmon"
+	"tailscale.com/net/portmapper"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
+	"tailscale.com/wgengine/monitor"
 )

 var debugArgs struct {
@ -42,7 +48,7 @@ var debugModeFunc = debugMode // so it can be addressable
 func debugMode(args []string) error {
 	fs := flag.NewFlagSet("debug", flag.ExitOnError)
 	fs.BoolVar(&debugArgs.ifconfig, "ifconfig", false, "If true, print network interface state")
-	fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run network monitor forever. Precludes all other options.")
+	fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run link monitor forever. Precludes all other options.")
 	fs.BoolVar(&debugArgs.portmap, "portmap", false, "If true, run portmap debugging. Precludes all other options.")
 	fs.StringVar(&debugArgs.getURL, "get-url", "", "If non-empty, fetch provided URL.")
 	fs.StringVar(&debugArgs.derpCheck, "derp", "", "if non-empty, test a DERP ping via named region code")
@ -76,7 +82,7 @@ func runMonitor(ctx context.Context, loop bool) error {
 		j, _ := json.MarshalIndent(st, "", "    ")
 		os.Stderr.Write(j)
 	}
-	mon, err := netmon.New(log.Printf)
+	mon, err := monitor.New(log.Printf)
 	if err != nil {
 		return err
 	}
@ -84,10 +90,10 @@ func runMonitor(ctx context.Context, loop bool) error {

 	mon.RegisterChangeCallback(func(changed bool, st *interfaces.State) {
 		if !changed {
-			log.Printf("Network monitor fired; no change")
+			log.Printf("Link monitor fired; no change")
 			return
 		}
-		log.Printf("Network monitor fired. New state:")
+		log.Printf("Link monitor fired. New state:")
 		dump(st)
 	})
 	if loop {
@ -193,8 +199,8 @@ func checkDerp(ctx context.Context, derpRegion string) (err error) {
 	priv1 := key.NewNode()
 	priv2 := key.NewNode()

-	c1 := derphttp.NewRegionClient(priv1, log.Printf, nil, getRegion)
-	c2 := derphttp.NewRegionClient(priv2, log.Printf, nil, getRegion)
+	c1 := derphttp.NewRegionClient(priv1, log.Printf, getRegion)
+	c2 := derphttp.NewRegionClient(priv2, log.Printf, getRegion)
 	defer func() {
 		if err != nil {
 			c1.Close()
@ -223,5 +229,95 @@ func checkDerp(ctx context.Context, derpRegion string) (err error) {
 }

 func debugPortmap(ctx context.Context) error {
-	return fmt.Errorf("this flag has been deprecated in favour of 'tailscale debug portmap'")
+	ctx, cancel := context.WithTimeout(ctx, 3*time.Second)
+	defer cancel()
+
+	portmapper.VerboseLogs = true
+	switch envknob.String("TS_DEBUG_PORTMAP_TYPE") {
+	case "":
+	case "pmp":
+		portmapper.DisablePCP = true
+		portmapper.DisableUPnP = true
+	case "pcp":
+		portmapper.DisablePMP = true
+		portmapper.DisableUPnP = true
+	case "upnp":
+		portmapper.DisablePCP = true
+		portmapper.DisablePMP = true
+	default:
+		log.Fatalf("TS_DEBUG_PORTMAP_TYPE must be one of pmp,pcp,upnp")
+	}
+
+	done := make(chan bool, 1)
+
+	var c *portmapper.Client
+	logf := log.Printf
+	c = portmapper.NewClient(logger.WithPrefix(logf, "portmapper: "), func() {
+		logf("portmapping changed.")
+		logf("have mapping: %v", c.HaveMapping())
+
+		if ext, ok := c.GetCachedMappingOrStartCreatingOne(); ok {
+			logf("cb: mapping: %v", ext)
+			select {
+			case done <- true:
+			default:
+			}
+			return
+		}
+		logf("cb: no mapping")
+	})
+	linkMon, err := monitor.New(logger.WithPrefix(logf, "monitor: "))
+	if err != nil {
+		return err
+	}
+
+	gatewayAndSelfIP := func() (gw, self netip.Addr, ok bool) {
+		if v := os.Getenv("TS_DEBUG_GW_SELF"); strings.Contains(v, "/") {
+			i := strings.Index(v, "/")
+			gw = netip.MustParseAddr(v[:i])
+			self = netip.MustParseAddr(v[i+1:])
+			return gw, self, true
+		}
+		return linkMon.GatewayAndSelfIP()
+	}
+
+	c.SetGatewayLookupFunc(gatewayAndSelfIP)
+
+	gw, selfIP, ok := gatewayAndSelfIP()
+	if !ok {
+		logf("no gateway or self IP; %v", linkMon.InterfaceState())
+		return nil
+	}
+	logf("gw=%v; self=%v", gw, selfIP)
+
+	uc, err := net.ListenPacket("udp", "0.0.0.0:0")
+	if err != nil {
+		return err
+	}
+	defer uc.Close()
+	c.SetLocalPort(uint16(uc.LocalAddr().(*net.UDPAddr).Port))
+
+	res, err := c.Probe(ctx)
+	if err != nil {
+		return fmt.Errorf("Probe: %v", err)
+	}
+	logf("Probe: %+v", res)
+
+	if !res.PCP && !res.PMP && !res.UPnP {
+		logf("no portmapping services available")
+		return nil
+	}
+
+	if ext, ok := c.GetCachedMappingOrStartCreatingOne(); ok {
+		logf("mapping: %v", ext)
+	} else {
+		logf("no mapping")
+	}
+
+	select {
+	case <-done:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
 }
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@ -3,9 +3,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
        filippo.io/edwards25519/field                                from filippo.io/edwards25519
   W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
-   W 💣 github.com/Microsoft/go-winio/internal/fs                    from github.com/Microsoft/go-winio
   W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
-   W    github.com/Microsoft/go-winio/internal/stringbuffer          from github.com/Microsoft/go-winio/internal/fs
   W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
@ -14,7 +12,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/aws-sdk-go-v2                                 from github.com/aws/aws-sdk-go-v2/internal/ini
   L    github.com/aws/aws-sdk-go-v2/aws                             from github.com/aws/aws-sdk-go-v2/aws/middleware+
   L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/awsstore
-   L    github.com/aws/aws-sdk-go-v2/aws/defaults                    from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/aws/defaults                    from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/aws/aws-sdk-go-v2/aws/middleware                  from github.com/aws/aws-sdk-go-v2/aws/retry+
   L    github.com/aws/aws-sdk-go-v2/aws/protocol/query              from github.com/aws/aws-sdk-go-v2/service/sts
   L    github.com/aws/aws-sdk-go-v2/aws/protocol/restjson           from github.com/aws/aws-sdk-go-v2/service/ssm+
@ -40,7 +38,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/aws-sdk-go-v2/internal/rand                   from github.com/aws/aws-sdk-go-v2/aws+
   L    github.com/aws/aws-sdk-go-v2/internal/sdk                    from github.com/aws/aws-sdk-go-v2/aws+
   L    github.com/aws/aws-sdk-go-v2/internal/sdkio                  from github.com/aws/aws-sdk-go-v2/credentials/processcreds
-   L    github.com/aws/aws-sdk-go-v2/internal/shareddefaults         from github.com/aws/aws-sdk-go-v2/config+
   L    github.com/aws/aws-sdk-go-v2/internal/strings                from github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4
   L    github.com/aws/aws-sdk-go-v2/internal/sync/singleflight      from github.com/aws/aws-sdk-go-v2/aws
   L    github.com/aws/aws-sdk-go-v2/internal/timeconv               from github.com/aws/aws-sdk-go-v2/aws/retry
@ -51,19 +48,16 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/aws-sdk-go-v2/service/sso                     from github.com/aws/aws-sdk-go-v2/config+
   L    github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sso
   L    github.com/aws/aws-sdk-go-v2/service/sso/types               from github.com/aws/aws-sdk-go-v2/service/sso
-   L    github.com/aws/aws-sdk-go-v2/service/ssooidc                 from github.com/aws/aws-sdk-go-v2/config+
-   L    github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints from github.com/aws/aws-sdk-go-v2/service/ssooidc
-   L    github.com/aws/aws-sdk-go-v2/service/ssooidc/types           from github.com/aws/aws-sdk-go-v2/service/ssooidc
   L    github.com/aws/aws-sdk-go-v2/service/sts                     from github.com/aws/aws-sdk-go-v2/config+
   L    github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sts
   L    github.com/aws/aws-sdk-go-v2/service/sts/types               from github.com/aws/aws-sdk-go-v2/credentials/stscreds+
   L    github.com/aws/smithy-go                                     from github.com/aws/aws-sdk-go-v2/aws/protocol/restjson+
-   L    github.com/aws/smithy-go/auth/bearer                         from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/smithy-go/auth/bearer                         from github.com/aws/aws-sdk-go-v2/aws
   L    github.com/aws/smithy-go/context                             from github.com/aws/smithy-go/auth/bearer
   L    github.com/aws/smithy-go/document                            from github.com/aws/aws-sdk-go-v2/service/ssm+
   L    github.com/aws/smithy-go/encoding                            from github.com/aws/smithy-go/encoding/json+
   L    github.com/aws/smithy-go/encoding/httpbinding                from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
-   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/aws/smithy-go/encoding/xml                        from github.com/aws/aws-sdk-go-v2/service/sts
   L    github.com/aws/smithy-go/internal/sync/singleflight          from github.com/aws/smithy-go/auth/bearer
   L    github.com/aws/smithy-go/io                                  from github.com/aws/aws-sdk-go-v2/feature/ec2/imds+
@ -75,23 +69,16 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/transport/http                      from github.com/aws/aws-sdk-go-v2/aws/middleware+
   L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
+   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
  LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
   W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com
   W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/cmd/tailscaled
-   W    github.com/dblohm7/wingoes/internal                          from github.com/dblohm7/wingoes/com
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns+
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
-   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
-   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
-   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
-   L    github.com/google/nftables/expr                              from github.com/google/nftables+
-   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
-   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
@ -106,7 +93,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/internal/cpuinfo               from github.com/klauspost/compress/zstd+
+        github.com/klauspost/compress/internal/cpuinfo               from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
@ -115,21 +102,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
-   L    github.com/pierrec/lz4/v4                                    from github.com/u-root/uio/uio
-   L    github.com/pierrec/lz4/v4/internal/lz4block                  from github.com/pierrec/lz4/v4+
-   L    github.com/pierrec/lz4/v4/internal/lz4errors                 from github.com/pierrec/lz4/v4+
-   L    github.com/pierrec/lz4/v4/internal/lz4stream                 from github.com/pierrec/lz4/v4
-   L    github.com/pierrec/lz4/v4/internal/xxh32                     from github.com/pierrec/lz4/v4/internal/lz4stream
   W    github.com/pkg/errors                                        from github.com/tailscale/certstore
  LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
  LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
  LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
-  LD 💣 github.com/tailscale/golang-x-crypto/internal/alias          from github.com/tailscale/golang-x-crypto/chacha20
+  LD 💣 github.com/tailscale/golang-x-crypto/internal/subtle         from github.com/tailscale/golang-x-crypto/chacha20
  LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal+
  LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
@ -160,25 +141,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        go4.org/netipx                                               from tailscale.com/ipn/ipnlocal+
   W 💣 golang.zx2c4.com/wintun                                      from github.com/tailscale/wireguard-go/tun+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/dns+
-   L    gvisor.dev/gvisor/pkg/abi                                    from gvisor.dev/gvisor/pkg/abi/linux
-   L 💣 gvisor.dev/gvisor/pkg/abi/linux                              from tailscale.com/util/linuxfw
        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/tcpip+
-        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/bufferv2+
+        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/bufferv2
     💣 gvisor.dev/gvisor/pkg/bufferv2                               from gvisor.dev/gvisor/pkg/tcpip+
-        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs+
+        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs
     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
-   L 💣 gvisor.dev/gvisor/pkg/hostarch                               from gvisor.dev/gvisor/pkg/abi/linux+
        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
-   L    gvisor.dev/gvisor/pkg/marshal                                from gvisor.dev/gvisor/pkg/abi/linux+
-   L 💣 gvisor.dev/gvisor/pkg/marshal/primitive                      from gvisor.dev/gvisor/pkg/abi/linux
        gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/bufferv2+
     💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
-     💣 gvisor.dev/gvisor/pkg/sync/locking                           from gvisor.dev/gvisor/pkg/tcpip/stack
        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
        gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/bufferv2+
@ -225,7 +200,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
        tailscale.com/disco                                          from tailscale.com/derp+
        tailscale.com/doctor                                         from tailscale.com/ipn/ipnlocal
-     💣 tailscale.com/doctor/permissions                             from tailscale.com/ipn/ipnlocal
        tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
        tailscale.com/envknob                                        from tailscale.com/control/controlclient+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
@ -238,18 +212,17 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/ipn/ipnstate                                   from tailscale.com/control/controlclient+
        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
-        tailscale.com/ipn/store                                      from tailscale.com/cmd/tailscaled+
+        tailscale.com/ipn/store                                      from tailscale.com/cmd/tailscaled
   L    tailscale.com/ipn/store/awsstore                             from tailscale.com/ipn/store
   L    tailscale.com/ipn/store/kubestore                            from tailscale.com/ipn/store
        tailscale.com/ipn/store/mem                                  from tailscale.com/ipn/store+
   L    tailscale.com/kube                                           from tailscale.com/ipn/store/kubestore
        tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
-        tailscale.com/log/sockstatlog                                from tailscale.com/ipn/ipnlocal
        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled+
        tailscale.com/logtail                                        from tailscale.com/control/controlclient+
        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
-        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy+
+        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
        tailscale.com/metrics                                        from tailscale.com/derp+
        tailscale.com/net/connstats                                  from tailscale.com/net/tstun+
        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
@ -264,25 +237,21 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
        tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
        tailscale.com/net/netknob                                    from tailscale.com/net/netns+
-        tailscale.com/net/netmon                                     from tailscale.com/cmd/tailscaled+
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnauth+
        tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/packet                                     from tailscale.com/net/tstun+
-        tailscale.com/net/ping                                       from tailscale.com/net/netcheck+
+        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
        tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
        tailscale.com/net/routetable                                 from tailscale.com/doctor/routetable
        tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
-        tailscale.com/net/sockstats                                  from tailscale.com/control/controlclient+
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
-   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
        tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
        tailscale.com/net/tstun                                      from tailscale.com/cmd/tailscaled+
-        tailscale.com/net/tstun/table                                from tailscale.com/net/tstun
        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
        tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
     💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
@ -291,21 +260,18 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
-     💣 tailscale.com/tempfork/device                                from tailscale.com/net/tstun/table
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
        tailscale.com/tka                                            from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tsd                                            from tailscale.com/cmd/tailscaled+
-        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock+
+        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
-        tailscale.com/tsweb/varz                                     from tailscale.com/cmd/tailscaled
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/tsweb                                          from tailscale.com/cmd/tailscaled
        tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
        tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
        tailscale.com/types/key                                      from tailscale.com/control/controlbase+
-        tailscale.com/types/lazy                                     from tailscale.com/version+
        tailscale.com/types/logger                                   from tailscale.com/control/controlclient+
        tailscale.com/types/logid                                    from tailscale.com/logtail+
        tailscale.com/types/netlogtype                               from tailscale.com/net/connstats+
@ -321,7 +287,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/clientmetric                              from tailscale.com/control/controlclient+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
  LW    tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
-        tailscale.com/util/cmpx                                      from tailscale.com/derp/derphttp+
     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
@ -330,22 +295,17 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale+
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-   L 💣 tailscale.com/util/linuxfw                                   from tailscale.com/net/netns+
        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/must                                      from tailscale.com/logpolicy
        tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnauth
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
-        tailscale.com/util/ringbuffer                                from tailscale.com/wgengine/magicsock
        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
-        tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
-        tailscale.com/util/sysresources                              from tailscale.com/wgengine/magicsock
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock+
+        tailscale.com/util/vizerror                                  from tailscale.com/tsweb
     💣 tailscale.com/util/winutil                                   from tailscale.com/control/controlclient+
-   W    tailscale.com/util/winutil/policy                            from tailscale.com/ipn/ipnlocal
        tailscale.com/version                                        from tailscale.com/derp+
        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
@ -353,6 +313,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/wgengine/capture                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
        tailscale.com/wgengine/netlog                                from tailscale.com/wgengine
        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
@ -378,13 +339,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/poly1305                                 from github.com/tailscale/golang-x-crypto/ssh+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
-        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices+
-        golang.org/x/exp/maps                                        from tailscale.com/wgengine+
+        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
+        golang.org/x/exp/maps                                        from tailscale.com/wgengine
        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
-        golang.org/x/net/http/httpproxy                              from net/http+
+        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2                                       from golang.org/x/net/http2/h2c+
        golang.org/x/net/http2/h2c                                   from tailscale.com/ipn/ipnlocal
        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
@ -412,7 +373,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        bytes                                                        from bufio+
        compress/flate                                               from compress/gzip+
        compress/gzip                                                from golang.org/x/net/http2+
-   L    compress/zlib                                                from debug/elf
        container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
@ -437,8 +397,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
-   L    debug/dwarf                                                  from debug/elf
-   L    debug/elf                                                    from golang.org/x/sys/unix
        embed                                                        from tailscale.com+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@ -451,10 +409,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        encoding/xml                                                 from github.com/tailscale/goupnp+
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/derp+
-        flag                                                         from net/http/httptest+
+        flag                                                         from tailscale.com/control/controlclient+
        fmt                                                          from compress/flate+
        hash                                                         from crypto+
-        hash/adler32                                                 from tailscale.com/ipn/ipnlocal+
+        hash/adler32                                                 from tailscale.com/ipn/ipnlocal
        hash/crc32                                                   from compress/gzip+
        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
        hash/maphash                                                 from go4.org/mem
@ -463,7 +421,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from github.com/godbus/dbus/v5+
        log                                                          from expvar+
-        log/internal                                                 from log
  LD    log/syslog                                                   from tailscale.com/ssh/tailssh
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
--- a/cmd/tailscaled/generate.go
+++ b/cmd/tailscaled/generate.go
@ -6,3 +6,4 @@ package main
 //go:generate go run tailscale.com/cmd/mkmanifest amd64 windows-manifest.xml manifest_windows_amd64.syso
 //go:generate go run tailscale.com/cmd/mkmanifest 386 windows-manifest.xml manifest_windows_386.syso
 //go:generate go run tailscale.com/cmd/mkmanifest arm64 windows-manifest.xml manifest_windows_arm64.syso
+//go:generate go run tailscale.com/cmd/mkmanifest arm windows-manifest.xml manifest_windows_arm.syso
--- a/cmd/tailscaled/manifest_windows_arm.syso
+++ b/cmd/tailscaled/manifest_windows_arm.syso
--- a/cmd/tailscaled/taildrop.go
+++ b/cmd/tailscaled/taildrop.go
@ -18,7 +18,7 @@ import (
 func configureTaildrop(logf logger.Logf, lb *ipnlocal.LocalBackend) {
 	dg := distro.Get()
 	switch dg {
-	case distro.Synology, distro.TrueNAS, distro.QNAP, distro.Unraid:
+	case distro.Synology, distro.TrueNAS, distro.QNAP:
 		// See if they have a "Taildrop" share.
 		// See https://github.com/tailscale/tailscale/issues/2179#issuecomment-982821319
 		path, err := findTaildropDir(dg)
@ -42,8 +42,6 @@ func findTaildropDir(dg distro.Distro) (string, error) {
 		return findTrueNASTaildropDir(name)
 	case distro.QNAP:
 		return findQnapTaildropDir(name)
-	case distro.Unraid:
-		return findUnraidTaildropDir(name)
 	}
 	return "", fmt.Errorf("%s is an unsupported distro for Taildrop dir", dg)
 }
@ -105,25 +103,3 @@ func findQnapTaildropDir(name string) (string, error) {
 	}
 	return "", fmt.Errorf("shared folder %q not found", name)
 }
-
-// findUnraidTaildropDir looks for a directory linked at
-// /var/lib/tailscale/Taildrop. This is a symlink to the
-// path specified by the user in the Unraid Web UI
-func findUnraidTaildropDir(name string) (string, error) {
-	dir := fmt.Sprintf("/var/lib/tailscale/%s", name)
-	_, err := os.Stat(dir)
-	if err != nil {
-		return "", fmt.Errorf("symlink %q not found", name)
-	}
-
-	fullpath, err := filepath.EvalSymlinks(dir)
-	if err != nil {
-		return "", fmt.Errorf("symlink %q to shared folder not valid", name)
-	}
-
-	fi, err := os.Stat(fullpath)
-	if err == nil && fi.IsDir() {
-		return dir, nil // return the symlink
-	}
-	return "", fmt.Errorf("shared folder %q not found", name)
-}
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@ -39,28 +39,25 @@ import (
 	"tailscale.com/logtail"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/dnsfallback"
-	"tailscale.com/net/netmon"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/proxymux"
 	"tailscale.com/net/socks5"
 	"tailscale.com/net/tsdial"
-	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/syncs"
-	"tailscale.com/tsd"
-	"tailscale.com/tsweb/varz"
+	"tailscale.com/tsweb"
 	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/logid"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/multierr"
 	"tailscale.com/util/osshare"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
+	"tailscale.com/wgengine/monitor"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
 )
@ -330,19 +327,7 @@ var logPol *logpolicy.Policy
 var debugMux *http.ServeMux

 func run() error {
-	var logf logger.Logf = log.Printf
-
-	sys := new(tsd.System)
-
-	netMon, err := netmon.New(func(format string, args ...any) {
-		logf(format, args...)
-	})
-	if err != nil {
-		return fmt.Errorf("netmon.New: %w", err)
-	}
-	sys.Set(netMon)
-
-	pol := logpolicy.New(logtail.CollectionNode, netMon)
+	pol := logpolicy.New(logtail.CollectionNode)
 	pol.SetVerbosityLevel(args.verbose)
 	logPol = pol
 	defer func() {
@ -366,6 +351,7 @@ func run() error {
 		return nil
 	}

+	var logf logger.Logf = log.Printf
 	if envknob.Bool("TS_DEBUG_MEMORY") {
 		logf = logger.RusagePrefixLog(logf)
 	}
@ -391,10 +377,11 @@ func run() error {
 		debugMux = newDebugMux()
 	}

-	return startIPNServer(context.Background(), logf, pol.PublicID, sys)
+	logid := pol.PublicID.String()
+	return startIPNServer(context.Background(), logf, logid)
 }

-func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) error {
+func startIPNServer(ctx context.Context, logf logger.Logf, logid string) error {
 	ln, err := safesocket.Listen(args.socketpath)
 	if err != nil {
 		return fmt.Errorf("safesocket.Listen: %v", err)
@ -420,7 +407,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID,
 		}
 	}()

-	srv := ipnserver.New(logf, logID, sys.NetMon.Get())
+	srv := ipnserver.New(logf, logid)
 	if debugMux != nil {
 		debugMux.HandleFunc("/debug/ipn", srv.ServeHTMLStatus)
 	}
@ -438,7 +425,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID,
 				return
 			}
 		}
-		lb, err := getLocalBackend(ctx, logf, logID, sys)
+		lb, err := getLocalBackend(ctx, logf, logid)
 		if err == nil {
 			logf("got LocalBackend in %v", time.Since(t0).Round(time.Millisecond))
 			srv.SetLocalBackend(lb)
@ -462,28 +449,35 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID,
 	return nil
 }

-func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) (_ *ipnlocal.LocalBackend, retErr error) {
+func getLocalBackend(ctx context.Context, logf logger.Logf, logid string) (_ *ipnlocal.LocalBackend, retErr error) {
+	linkMon, err := monitor.New(logf)
+	if err != nil {
+		return nil, fmt.Errorf("monitor.New: %w", err)
+	}
 	if logPol != nil {
-		logPol.Logtail.SetNetMon(sys.NetMon.Get())
+		logPol.Logtail.SetLinkMonitor(linkMon)
 	}

 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)

 	dialer := &tsdial.Dialer{Logf: logf} // mutated below (before used)
-	sys.Set(dialer)
-
-	onlyNetstack, err := createEngine(logf, sys)
+	e, onlyNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
 		return nil, fmt.Errorf("createEngine: %w", err)
 	}
+	if _, ok := e.(wgengine.ResolvingEngine).GetResolver(); !ok {
+		panic("internal error: exit node resolver not wired up")
+	}
 	if debugMux != nil {
-		if ms, ok := sys.MagicSock.GetOK(); ok {
-			debugMux.HandleFunc("/debug/magicsock", ms.ServeHTTPDebug)
+		if ig, ok := e.(wgengine.InternalsGetter); ok {
+			if _, mc, _, ok := ig.GetInternals(); ok {
+				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
+			}
 		}
 		go runDebugServer(debugMux, args.debug)
 	}

-	ns, err := newNetstack(logf, sys)
+	ns, err := newNetstack(logf, dialer, e)
 	if err != nil {
 		return nil, fmt.Errorf("newNetstack: %w", err)
 	}
@ -491,7 +485,6 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 	ns.ProcessSubnets = onlyNetstack || handleSubnetsInNetstack()

 	if onlyNetstack {
-		e := sys.Engine.Get()
 		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
 			_, ok := e.PeerForIP(ip)
 			return ok
@ -501,13 +494,11 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 		}
 	}
 	if socksListener != nil || httpProxyListener != nil {
-		var addrs []string
 		if httpProxyListener != nil {
 			hs := &http.Server{Handler: httpProxyHandler(dialer.UserDial)}
 			go func() {
 				log.Fatalf("HTTP proxy exited: %v", hs.Serve(httpProxyListener))
 			}()
-			addrs = append(addrs, httpProxyListener.Addr().String())
 		}
 		if socksListener != nil {
 			ss := &socks5.Server{
@ -517,20 +508,19 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 			go func() {
 				log.Fatalf("SOCKS5 server exited: %v", ss.Serve(socksListener))
 			}()
-			addrs = append(addrs, socksListener.Addr().String())
 		}
-		tshttpproxy.SetSelfProxy(addrs...)
 	}

+	e = wgengine.NewWatchdog(e)
+
 	opts := ipnServerOpts()

 	store, err := store.New(logf, statePathOrDefault())
 	if err != nil {
 		return nil, fmt.Errorf("store.New: %w", err)
 	}
-	sys.Set(store)

-	lb, err := ipnlocal.NewLocalBackend(logf, logID, sys, opts.LoginFlags)
+	lb, err := ipnlocal.NewLocalBackend(logf, logid, store, dialer, e, opts.LoginFlags)
 	if err != nil {
 		return nil, fmt.Errorf("ipnlocal.NewLocalBackend: %w", err)
 	}
@ -539,7 +529,7 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 		lb.SetLogFlusher(logPol.Logtail.StartFlush)
 	}
 	if root := lb.TailscaleVarRoot(); root != "" {
-		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"), logf)
+		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"))
 	}
 	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
 		return smallzstd.NewDecoder(nil)
@ -556,21 +546,21 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 //
 // onlyNetstack is true if the user has explicitly requested that we use netstack
 // for all networking.
-func createEngine(logf logger.Logf, sys *tsd.System) (onlyNetstack bool, err error) {
+func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer) (e wgengine.Engine, onlyNetstack bool, err error) {
 	if args.tunname == "" {
-		return false, errors.New("no --tun value specified")
+		return nil, false, errors.New("no --tun value specified")
 	}
 	var errs []error
 	for _, name := range strings.Split(args.tunname, ",") {
 		logf("wgengine.NewUserspaceEngine(tun %q) ...", name)
-		onlyNetstack, err = tryEngine(logf, sys, name)
+		e, onlyNetstack, err = tryEngine(logf, linkMon, dialer, name)
 		if err == nil {
-			return onlyNetstack, nil
+			return e, onlyNetstack, nil
 		}
 		logf("wgengine.NewUserspaceEngine(tun %q) error: %v", name, err)
 		errs = append(errs, err)
 	}
-	return false, multierr.New(errs...)
+	return nil, false, multierr.New(errs...)
 }

 // handleSubnetsInNetstack reports whether netstack should handle subnet routers
@ -595,23 +585,21 @@ func handleSubnetsInNetstack() bool {

 var tstunNew = tstun.New

-func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack bool, err error) {
+func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, name string) (e wgengine.Engine, onlyNetstack bool, err error) {
 	conf := wgengine.Config{
-		ListenPort:   args.port,
-		NetMon:       sys.NetMon.Get(),
-		Dialer:       sys.Dialer.Get(),
-		SetSubsystem: sys.Set,
+		ListenPort:  args.port,
+		LinkMonitor: linkMon,
+		Dialer:      dialer,
 	}

 	onlyNetstack = name == "userspace-networking"
-	netstackSubnetRouter := onlyNetstack // but mutated later on some platforms
 	netns.SetEnabled(!onlyNetstack)

 	if args.birdSocketPath != "" && createBIRDClient != nil {
 		log.Printf("Connecting to BIRD at %s ...", args.birdSocketPath)
 		conf.BIRDClient, err = createBIRDClient(args.birdSocketPath)
 		if err != nil {
-			return false, fmt.Errorf("createBIRDClient: %w", err)
+			return nil, false, fmt.Errorf("createBIRDClient: %w", err)
 		}
 	}
 	if onlyNetstack {
@ -624,55 +612,44 @@ func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack boo
 			// TODO(bradfitz): add a Synology-specific DNS manager.
 			conf.DNS, err = dns.NewOSConfigurator(logf, "") // empty interface name
 			if err != nil {
-				return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+				return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 			}
 		}
 	} else {
 		dev, devName, err := tstunNew(logf, name)
 		if err != nil {
 			tstun.Diagnose(logf, name, err)
-			return false, fmt.Errorf("tstun.New(%q): %w", name, err)
+			return nil, false, fmt.Errorf("tstun.New(%q): %w", name, err)
 		}
 		conf.Tun = dev
 		if strings.HasPrefix(name, "tap:") {
 			conf.IsTAP = true
 			e, err := wgengine.NewUserspaceEngine(logf, conf)
-			if err != nil {
-				return false, err
-			}
-			sys.Set(e)
-			return false, err
+			return e, false, err
 		}

-		r, err := router.New(logf, dev, sys.NetMon.Get())
+		r, err := router.New(logf, dev, linkMon)
 		if err != nil {
 			dev.Close()
-			return false, fmt.Errorf("creating router: %w", err)
+			return nil, false, fmt.Errorf("creating router: %w", err)
 		}
-
 		d, err := dns.NewOSConfigurator(logf, devName)
 		if err != nil {
 			dev.Close()
 			r.Close()
-			return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+			return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 		}
 		conf.DNS = d
 		conf.Router = r
 		if handleSubnetsInNetstack() {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
-			netstackSubnetRouter = true
 		}
-		sys.Set(conf.Router)
 	}
-	e, err := wgengine.NewUserspaceEngine(logf, conf)
+	e, err = wgengine.NewUserspaceEngine(logf, conf)
 	if err != nil {
-		return onlyNetstack, err
+		return nil, onlyNetstack, err
 	}
-	e = wgengine.NewWatchdog(e)
-	sys.Set(e)
-	sys.NetstackRouter.Set(netstackSubnetRouter)
-
-	return onlyNetstack, nil
+	return e, onlyNetstack, nil
 }

 func newDebugMux() *http.ServeMux {
@ -688,7 +665,7 @@ func newDebugMux() *http.ServeMux {

 func servePrometheusMetrics(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/plain")
-	varz.Handler(w, r)
+	tsweb.VarzHandler(w, r)
 	clientmetric.WritePrometheusExpositionFormat(w)
 }

@ -702,8 +679,12 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 	}
 }

-func newNetstack(logf logger.Logf, sys *tsd.System) (*netstack.Impl, error) {
-	return netstack.Create(logf, sys.Tun.Get(), sys.Engine.Get(), sys.MagicSock.Get(), sys.Dialer.Get(), sys.DNSManager.Get())
+func newNetstack(logf logger.Logf, dialer *tsdial.Dialer, e wgengine.Engine) (*netstack.Impl, error) {
+	tunDev, magicConn, dns, ok := e.(wgengine.InternalsGetter).GetInternals()
+	if !ok {
+		return nil, fmt.Errorf("%T is not a wgengine.InternalsGetter", e)
+	}
+	return netstack.Create(logf, tunDev, e, magicConn, dialer, dns)
 }

 // mustStartProxyListeners creates listeners for local SOCKS and HTTP
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@ -45,11 +45,8 @@ import (
 	"tailscale.com/logpolicy"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/dns"
-	"tailscale.com/net/netmon"
 	"tailscale.com/net/tstun"
-	"tailscale.com/tsd"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/logid"
 	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/wf"
@ -126,10 +123,6 @@ var syslogf logger.Logf = logger.Discard
 // At this point we're still the parent process that
 // Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
-	go func() {
-		winutil.LogSupportInfo(log.Printf)
-	}()
-
 	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
 		syslog, err := eventlog.Open(serviceName)
 		if err == nil {
@ -269,13 +262,13 @@ func beWindowsSubprocess() bool {
 	if len(os.Args) != 3 || os.Args[1] != "/subproc" {
 		return false
 	}
-	logID := os.Args[2]
+	logid := os.Args[2]

 	// Remove the date/time prefix; the logtail + file loggers add it.
 	log.SetFlags(0)

-	log.Printf("Program starting: v%v: %#v", version.Long(), os.Args)
-	log.Printf("subproc mode: logid=%v", logID)
+	log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
+	log.Printf("subproc mode: logid=%v", logid)
 	if err := envknob.ApplyDiskConfigError(); err != nil {
 		log.Printf("Error reading environment config: %v", err)
 	}
@ -297,15 +290,7 @@ func beWindowsSubprocess() bool {
 		}
 	}()

-	sys := new(tsd.System)
-	netMon, err := netmon.New(log.Printf)
-	if err != nil {
-		log.Fatalf("Could not create netMon: %v", err)
-	}
-	sys.Set(netMon)
-
-	publicLogID, _ := logid.ParsePublicID(logID)
-	err = startIPNServer(ctx, log.Printf, publicLogID, sys)
+	err := startIPNServer(ctx, log.Printf, logid)
 	if err != nil {
 		log.Fatalf("ipnserver: %v", err)
 	}
--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 .45.0
 .37.0