ipn

package
v0.0.0-...-113f59a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 16, 2024 License: BSD-3-Clause Imports: 32 Imported by: 0

Documentation

Overview

Package ipn implements the interactions between the Tailscale cloud control plane and the local network stack.

IPN is the abbreviated name for a Tailscale network. What's less clear is what it's an abbreviation for: Identified Private Network? IP Network? Internet Private Network? I Privately Network?

Index

Constants

View Source
const (
	// MachineKeyStateKey is the key under which we store the machine key,
	// in its key.NodePrivate.MarshalText representation.
	MachineKeyStateKey = StateKey("_machinekey")

	// LegacyGlobalDaemonStateKey is the ipn.StateKey that tailscaled
	// loads on startup.
	//
	// We have to support multiple state keys for other OSes (Windows in
	// particular), but right now Unix daemons run with a single
	// node-global state. To keep open the option of having per-user state
	// later, the global state key doesn't look like a username.
	//
	// As of 2022-10-21, it has been superseded by profiles and is no longer
	// written to disk. It is only read at startup when there are no profiles,
	// to migrate the state to the "default" profile.
	// The existing state is left on disk in case the user downgrades to an
	// older version of Tailscale that doesn't support profiles. We can
	// remove this in a future release.
	LegacyGlobalDaemonStateKey = StateKey("_daemon")

	// ServerModeStartKey's value, if non-empty, is the value of a
	// StateKey containing the prefs to start with which to start the
	// server.
	//
	// For example, the value might be "user-1234", meaning the
	// the server should start with the Prefs JSON loaded from
	// StateKey "user-1234".
	ServerModeStartKey = StateKey("server-mode-start-key")

	// KnownProfilesStateKey is the key under which we store the list of
	// known profiles. The value is a JSON-encoded []LoginProfile.
	KnownProfilesStateKey = StateKey("_profiles")

	// CurrentProfileStateKey is the key under which we store the current
	// profile.
	CurrentProfileStateKey = StateKey("_current-profile")

	// TaildropReceivedKey is the key to indicate whether any taildrop file
	// has ever been received (even if partially).
	// Any non-empty value indicates that at least one file has been received.
	TaildropReceivedKey = StateKey("_taildrop-received")
)
View Source
const DefaultControlURL = "https://controlplane.tailscale.com"

DefaultControlURL is the URL base of the control plane ("coordination server") for use when no explicit one is configured. The default control plane is the hosted version run by Tailscale.com.

View Source
const GoogleIDTokenType = "ts_android_google_login"

GoogleIDToken Type is the tailcfg.Oauth2Token.TokenType for the Google ID tokens used by the Android client.

Variables

View Source
var DebuggableComponents = []string{
	"magicsock",
	"sockstats",
}

DebuggableComponents is a list of components whose debugging can be turned on and off individually using the tailscale debug command.

View Source
var (
	// ErrExitNodeIDAlreadySet is returned from (*Prefs).SetExitNodeIP when the
	// Prefs.ExitNodeID field is already set.
	ErrExitNodeIDAlreadySet = errors.New("cannot set ExitNodeIP when ExitNodeID is already set")
)
View Source
var ErrStateNotExist = errors.New("no state with given ID")

ErrStateNotExist is returned by StateStore.ReadState when the requested state ID doesn't exist.

Functions

func CheckFunnelAccess

func CheckFunnelAccess(port uint16, node *ipnstate.PeerStatus) error

CheckFunnelAccess checks whether Funnel access is allowed for the given node and port. It checks:

  1. HTTPS is enabled on the Tailnet
  2. the node has the "funnel" nodeAttr
  3. the port is allowed for Funnel

The node arg should be the ipnstate.Status.Self node.

func CheckFunnelPort

func CheckFunnelPort(wantedPort uint16, node *ipnstate.PeerStatus) error

CheckFunnelPort checks whether the given port is allowed for Funnel. It uses the tailcfg.CapabilityFunnelPorts nodeAttr to determine the allowed ports.

func IsLoginServerSynonym

func IsLoginServerSynonym(val any) bool

IsLoginServerSynonym reports whether a URL is a drop-in replacement for the primary Tailscale login server.

func PutStoreInt

func PutStoreInt(store StateStore, id StateKey, val int64) error

PutStoreInt puts an integer into a StateStore.

func ReadStoreInt

func ReadStoreInt(store StateStore, id StateKey) (int64, error)

ReadStoreInt reads an integer from a StateStore.

func SavePrefs

func SavePrefs(filename string, p *Prefs)

func WriteState

func WriteState(store StateStore, id StateKey, v []byte) error

WriteState is a wrapper around store.WriteState that only writes if the value is different from what's already in the store.

Types

type AppConnectorPrefs

type AppConnectorPrefs struct {
	// Advertise specifies whether the app connector subsystem is advertising
	// this node as a connector.
	Advertise bool
}

AppConnectorPrefs are the app connector settings for the node agent.

func (AppConnectorPrefs) Pretty

func (ap AppConnectorPrefs) Pretty() string

type AutoUpdatePrefs

type AutoUpdatePrefs struct {
	// Check specifies whether background checks for updates are enabled. When
	// enabled, tailscaled will periodically check for available updates and
	// notify the user about them.
	Check bool
	// Apply specifies whether background auto-updates are enabled. When
	// enabled, tailscaled will apply available updates in the background.
	// Check must also be set when Apply is set.
	Apply opt.Bool
}

AutoUpdatePrefs are the auto update settings for the node agent.

func (AutoUpdatePrefs) Equals

func (au1 AutoUpdatePrefs) Equals(au2 AutoUpdatePrefs) bool

func (AutoUpdatePrefs) Pretty

func (au AutoUpdatePrefs) Pretty() string

type AutoUpdatePrefsMask

type AutoUpdatePrefsMask struct {
	CheckSet bool `json:",omitempty"`
	ApplySet bool `json:",omitempty"`
}

func (AutoUpdatePrefsMask) Pretty

type ConfigVAlpha

type ConfigVAlpha struct {
	Version string   // "alpha0" for now
	Locked  opt.Bool `json:",omitempty"` // whether the config is locked from being changed by 'tailscale set'; it defaults to true

	ServerURL *string  `json:",omitempty"` // defaults to https://controlplane.tailscale.com
	AuthKey   *string  `json:",omitempty"` // as needed if NeedsLogin. either key or path to a file (if prefixed with "file:")
	Enabled   opt.Bool `json:",omitempty"` // wantRunning; empty string defaults to true

	OperatorUser *string `json:",omitempty"` // local user name who is allowed to operate tailscaled without being root or using sudo
	Hostname     *string `json:",omitempty"`

	AcceptDNS    opt.Bool `json:"acceptDNS,omitempty"` // --accept-dns
	AcceptRoutes opt.Bool `json:"acceptRoutes,omitempty"`

	ExitNode                   *string  `json:"exitNode,omitempty"` // IP, StableID, or MagicDNS base name
	AllowLANWhileUsingExitNode opt.Bool `json:"allowLANWhileUsingExitNode,omitempty"`

	AdvertiseRoutes []netip.Prefix `json:",omitempty"`
	DisableSNAT     opt.Bool       `json:",omitempty"`

	NetfilterMode *string `json:",omitempty"` // "on", "off", "nodivert"

	PostureChecking opt.Bool         `json:",omitempty"`
	RunSSHServer    opt.Bool         `json:",omitempty"` // Tailscale SSH
	RunWebClient    opt.Bool         `json:",omitempty"`
	ShieldsUp       opt.Bool         `json:",omitempty"`
	AutoUpdate      *AutoUpdatePrefs `json:",omitempty"`
	ServeConfigTemp *ServeConfig     `json:",omitempty"` // TODO(bradfitz,maisem): make separate stable type for this

}

ConfigVAlpha is the config file format for the "alpha0" version.

func (*ConfigVAlpha) ToPrefs

func (c *ConfigVAlpha) ToPrefs() (MaskedPrefs, error)

type EngineStatus

type EngineStatus struct {
	RBytes, WBytes int64
	NumLive        int
	LiveDERPs      int // number of active DERP connections
	LivePeers      map[key.NodePublic]ipnstate.PeerStatusLite
}

EngineStatus contains WireGuard engine stats.

type ExitNodeLocalIPError

type ExitNodeLocalIPError struct {
	// contains filtered or unexported fields
}

ExitNodeLocalIPError is returned when the requested IP address for an exit node belongs to the local machine.

func (ExitNodeLocalIPError) Error

func (e ExitNodeLocalIPError) Error() string

type FunnelConn

type FunnelConn struct {
	// Conn is the underlying connection.
	net.Conn

	// Target is what was presented in the "Tailscale-Ingress-Target"
	// HTTP header.
	Target HostPort

	// Src is the source address of the connection.
	// This is the address of the client that initiated the
	// connection, not the address of the Tailscale Funnel
	// node which is relaying the connection. That address
	// can be found in Conn.RemoteAddr.
	Src netip.AddrPort
}

A FunnelConn wraps a net.Conn that is coming over a Funnel connection. It can be used to determine further information about the connection, like the source address and the target SNI name.

type HTTPHandler

type HTTPHandler struct {
	Path  string `json:",omitempty"` // absolute path to directory or file to serve
	Proxy string `json:",omitempty"` // http://localhost:3000/, localhost:3030, 3030

	Text string `json:",omitempty"` // plaintext to serve (primarily for testing)

}

HTTPHandler is either a path or a proxy to serve.

func (*HTTPHandler) Clone

func (src *HTTPHandler) Clone() *HTTPHandler

Clone makes a deep copy of HTTPHandler. The result aliases no memory with the original.

func (*HTTPHandler) View

func (p *HTTPHandler) View() HTTPHandlerView

View returns a readonly view of HTTPHandler.

type HTTPHandlerView

type HTTPHandlerView struct {
	// contains filtered or unexported fields
}

HTTPHandlerView provides a read-only view over HTTPHandler.

Its methods should only be called if `Valid()` returns true.

func (HTTPHandlerView) AsStruct

func (v HTTPHandlerView) AsStruct() *HTTPHandler

AsStruct returns a clone of the underlying value which aliases no memory with the original.

func (HTTPHandlerView) MarshalJSON

func (v HTTPHandlerView) MarshalJSON() ([]byte, error)

func (HTTPHandlerView) Path

func (v HTTPHandlerView) Path() string

func (HTTPHandlerView) Proxy

func (v HTTPHandlerView) Proxy() string

func (HTTPHandlerView) Text

func (v HTTPHandlerView) Text() string

func (*HTTPHandlerView) UnmarshalJSON

func (v *HTTPHandlerView) UnmarshalJSON(b []byte) error

func (HTTPHandlerView) Valid

func (v HTTPHandlerView) Valid() bool

Valid reports whether underlying value is non-nil.

type HostPort

type HostPort string

HostPort is an SNI name and port number, joined by a colon. There is no implicit port 443. It must contain a colon.

func (HostPort) Port

func (hp HostPort) Port() (uint16, error)

Port extracts just the port number from hp. An error is reported in the case that the hp does not have a valid numeric port ending.

type LoginProfile

type LoginProfile struct {
	// ID is a unique identifier for this profile.
	// It is assigned on creation and never changes.
	// It may seem redundant to have both ID and UserProfile.ID
	// but they are different things. UserProfile.ID may change
	// over time (e.g. if a device is tagged).
	ID ProfileID

	// Name is the user-visible name of this profile.
	// It is filled in from the UserProfile.LoginName field.
	Name string

	// NetworkProfile is a subset of netmap.NetworkMap that we
	// store to remember information about the tailnet that this
	// profile was logged in with.
	//
	// This field was added on 2023-11-17.
	NetworkProfile NetworkProfile

	// Key is the StateKey under which the profile is stored.
	// It is assigned once at profile creation time and never changes.
	Key StateKey

	// UserProfile is the server provided UserProfile for this profile.
	// This is updated whenever the server provides a new UserProfile.
	UserProfile tailcfg.UserProfile

	// NodeID is the NodeID of the node that this profile is logged into.
	// This should be stable across tagging and untagging nodes.
	// It may seem redundant to check against both the UserProfile.UserID
	// and the NodeID. However the NodeID can change if the node is deleted
	// from the admin panel.
	NodeID tailcfg.StableNodeID

	// LocalUserID is the user ID of the user who created this profile.
	// It is only relevant on Windows where we have a multi-user system.
	// It is assigned once at profile creation time and never changes.
	LocalUserID WindowsUserID

	// ControlURL is the URL of the control server that this profile is logged
	// into.
	ControlURL string
}

LoginProfile represents a single login profile as managed by the ProfileManager.

type MaskedPrefs

type MaskedPrefs struct {
	Prefs

	ControlURLSet             bool                `json:",omitempty"`
	RouteAllSet               bool                `json:",omitempty"`
	AllowSingleHostsSet       bool                `json:",omitempty"`
	ExitNodeIDSet             bool                `json:",omitempty"`
	ExitNodeIPSet             bool                `json:",omitempty"`
	ExitNodeAllowLANAccessSet bool                `json:",omitempty"`
	CorpDNSSet                bool                `json:",omitempty"`
	RunSSHSet                 bool                `json:",omitempty"`
	RunWebClientSet           bool                `json:",omitempty"`
	WantRunningSet            bool                `json:",omitempty"`
	LoggedOutSet              bool                `json:",omitempty"`
	ShieldsUpSet              bool                `json:",omitempty"`
	AdvertiseTagsSet          bool                `json:",omitempty"`
	HostnameSet               bool                `json:",omitempty"`
	NotepadURLsSet            bool                `json:",omitempty"`
	ForceDaemonSet            bool                `json:",omitempty"`
	EggSet                    bool                `json:",omitempty"`
	AdvertiseRoutesSet        bool                `json:",omitempty"`
	NoSNATSet                 bool                `json:",omitempty"`
	NetfilterModeSet          bool                `json:",omitempty"`
	OperatorUserSet           bool                `json:",omitempty"`
	ProfileNameSet            bool                `json:",omitempty"`
	AutoUpdateSet             AutoUpdatePrefsMask `json:",omitempty"`
	AppConnectorSet           bool                `json:",omitempty"`
	PostureCheckingSet        bool                `json:",omitempty"`
	NetfilterKindSet          bool                `json:",omitempty"`
}

MaskedPrefs is a Prefs with an associated bitmask of which fields are set.

Each FooSet field maps to a corresponding Foo field in Prefs. FooSet can be a struct, in which case inner fields of FooSet map to inner fields of Foo in Prefs (see AutoUpdateSet for example).

func (*MaskedPrefs) IsEmpty

func (m *MaskedPrefs) IsEmpty() bool

IsEmpty reports whether there are no masks set or if m is nil.

func (*MaskedPrefs) Pretty

func (m *MaskedPrefs) Pretty() string

type NetworkProfile

type NetworkProfile struct {
	MagicDNSName string
	DomainName   string
}

NetworkProfile is a subset of netmap.NetworkMap that should be saved with each user profile.

func (NetworkProfile) RequiresBackfill

func (n NetworkProfile) RequiresBackfill() bool

RequiresBackfill returns whether this object does not have all the data expected. This is because this struct is a later addition to LoginProfile and this method can be checked to see if it's been backfilled to the current expectation or not. Note that for now, it just checks if the struct is empty. In the future, if we have new optional fields, this method can be changed to do more explicit checks to return whether it's apt for a backfill or not.

type Notify

type Notify struct {
	Version string // version number of IPN backend

	// SessionID identifies the unique WatchIPNBus session.
	// This field is only set in the first message when requesting
	// NotifyInitialState. Clients must store it on their side as
	// following notifications will not include this field.
	SessionID string `json:",omitempty"`

	// ErrMessage, if non-nil, contains a critical error message.
	// For State InUseOtherUser, ErrMessage is not critical and just contains the details.
	ErrMessage *string

	LoginFinished *empty.Message     // non-nil when/if the login process succeeded
	State         *State             // if non-nil, the new or current IPN state
	Prefs         *PrefsView         // if non-nil && Valid, the new or current preferences
	NetMap        *netmap.NetworkMap // if non-nil, the new or current netmap
	Engine        *EngineStatus      // if non-nil, the new or current wireguard stats
	BrowseToURL   *string            // if non-nil, UI should open a browser right now
	BackendLogID  *string            // if non-nil, the public logtail ID used by backend

	// FilesWaiting if non-nil means that files are buffered in
	// the Tailscale daemon and ready for local transfer to the
	// user's preferred storage location.
	//
	// Deprecated: use LocalClient.AwaitWaitingFiles instead.
	FilesWaiting *empty.Message `json:",omitempty"`

	// IncomingFiles, if non-nil, specifies which files are in the
	// process of being received. A nil IncomingFiles means this
	// Notify should not update the state of file transfers. A non-nil
	// but empty IncomingFiles means that no files are in the middle
	// of being transferred.
	//
	// Deprecated: use LocalClient.AwaitWaitingFiles instead.
	IncomingFiles []PartialFile `json:",omitempty"`

	// LocalTCPPort, if non-nil, informs the UI frontend which
	// (non-zero) localhost TCP port it's listening on.
	// This is currently only used by Tailscale when run in the
	// macOS Network Extension.
	LocalTCPPort *uint16 `json:",omitempty"`

	// ClientVersion, if non-nil, describes whether a client version update
	// is available.
	ClientVersion *tailcfg.ClientVersion `json:",omitempty"`

	// TailFSShares tracks the full set of current TailFSShares that we're
	// publishing as name->path. Some client applications, like the MacOS and
	// Windows clients, will listen for updates to this and handle serving
	// these shares under the identity of the unprivileged user that is running
	// the application.
	TailFSShares map[string]string `json:",omitempty"`
	// contains filtered or unexported fields
}

Notify is a communication from a backend (e.g. tailscaled) to a frontend (cmd/tailscale, iOS, macOS, Win Tasktray). In any given notification, any or all of these may be nil, meaning that they have not changed. They are JSON-encoded on the wire, despite the lack of struct tags.

func (Notify) String

func (n Notify) String() string

type NotifyWatchOpt

type NotifyWatchOpt uint64

NotifyWatchOpt is a bitmask of options about what type of Notify messages to subscribe to.

const (
	// NotifyWatchEngineUpdates, if set, causes Engine updates to be sent to the
	// client either regularly or when they change, without having to ask for
	// each one via RequestEngineStatus.
	NotifyWatchEngineUpdates NotifyWatchOpt = 1 << iota

	NotifyInitialState  // if set, the first Notify message (sent immediately) will contain the current State + BrowseToURL + SessionID
	NotifyInitialPrefs  // if set, the first Notify message (sent immediately) will contain the current Prefs
	NotifyInitialNetMap // if set, the first Notify message (sent immediately) will contain the current NetMap

	NotifyNoPrivateKeys       // if set, private keys that would normally be sent in updates are zeroed out
	NotifyInitialTailFSShares // if set, the first Notify message (sent immediately) will contain the current TailFS Shares
)

type Options

type Options struct {
	// FrontendLogID is the public logtail id used by the frontend.
	FrontendLogID string
	// LegacyMigrationPrefs are used to migrate preferences from the
	// frontend to the backend.
	// If non-nil, they are imported as a new profile.
	LegacyMigrationPrefs *Prefs `json:"Prefs"`
	// UpdatePrefs, if provided, overrides Options.LegacyMigrationPrefs
	// *and* the Prefs already stored in the backend state, *except* for
	// the Persist member. If you just want to provide prefs, this is
	// probably what you want.
	//
	// TODO(apenwarr): Rename this to Prefs, and possibly move Prefs.Persist
	//   elsewhere entirely (as it always should have been). Or, move the
	//   fancy state migration stuff out of Start().
	UpdatePrefs *Prefs
	// AuthKey is an optional node auth key used to authorize a
	// new node key without user interaction.
	AuthKey string
}

type PartialFile

type PartialFile struct {
	Name         string    // e.g. "foo.jpg"
	Started      time.Time // time transfer started
	DeclaredSize int64     // or -1 if unknown
	Received     int64     // bytes copied thus far

	// PartialPath is set non-empty in "direct" file mode to the
	// in-progress '*.partial' file's path when the peerapi isn't
	// being used; see LocalBackend.SetDirectFileRoot.
	PartialPath string `json:",omitempty"`
	FinalPath   string `json:",omitempty"`

	// Done is set in "direct" mode when the partial file has been
	// closed and is ready for the caller to rename away the
	// ".partial" suffix.
	Done bool `json:",omitempty"`
}

PartialFile represents an in-progress file transfer.

type Prefs

type Prefs struct {
	// ControlURL is the URL of the control server to use.
	//
	// If empty, the default for new installs, DefaultControlURL
	// is used. It's set non-empty once the daemon has been started
	// for the first time.
	//
	// TODO(apenwarr): Make it safe to update this with SetPrefs().
	// Right now, you have to pass it in the initial prefs in Start(),
	// which is the only code that actually uses the ControlURL value.
	// It would be more consistent to restart controlclient
	// automatically whenever this variable changes.
	//
	// Meanwhile, you have to provide this as part of
	// Options.LegacyMigrationPrefs or Options.UpdatePrefs when
	// calling Backend.Start().
	ControlURL string

	// RouteAll specifies whether to accept subnets advertised by
	// other nodes on the Tailscale network. Note that this does not
	// include default routes (0.0.0.0/0 and ::/0), those are
	// controlled by ExitNodeID/IP below.
	RouteAll bool

	// AllowSingleHosts specifies whether to install routes for each
	// node IP on the tailscale network, in addition to a route for
	// the whole network.
	// This corresponds to the "tailscale up --host-routes" value,
	// which defaults to true.
	//
	// TODO(danderson): why do we have this? It dumps a lot of stuff
	// into the routing table, and a single network route _should_ be
	// all that we need. But when I turn this off in my tailscaled,
	// packets stop flowing. What's up with that?
	AllowSingleHosts bool

	// ExitNodeID and ExitNodeIP specify the node that should be used
	// as an exit node for internet traffic. At most one of these
	// should be non-zero.
	//
	// The preferred way to express the chosen node is ExitNodeID, but
	// in some cases it's not possible to use that ID (e.g. in the
	// linux CLI, before tailscaled has a netmap). For those
	// situations, we allow specifying the exit node by IP, and
	// ipnlocal.LocalBackend will translate the IP into an ID when the
	// node is found in the netmap.
	//
	// If the selected exit node doesn't exist (e.g. it's not part of
	// the current tailnet), or it doesn't offer exit node services, a
	// blackhole route will be installed on the local system to
	// prevent any traffic escaping to the local network.
	ExitNodeID tailcfg.StableNodeID
	ExitNodeIP netip.Addr

	// ExitNodeAllowLANAccess indicates whether locally accessible subnets should be
	// routed directly or via the exit node.
	ExitNodeAllowLANAccess bool

	// CorpDNS specifies whether to install the Tailscale network's
	// DNS configuration, if it exists.
	CorpDNS bool

	// RunSSH bool is whether this node should run an SSH
	// server, permitting access to peers according to the
	// policies as configured by the Tailnet's admin(s).
	RunSSH bool

	// RunWebClient bool is whether this node should run a web client,
	// permitting access to peers according to the
	// policies as configured by the Tailnet's admin(s).
	RunWebClient bool

	// WantRunning indicates whether networking should be active on
	// this node.
	WantRunning bool

	// LoggedOut indicates whether the user intends to be logged out.
	// There are other reasons we may be logged out, including no valid
	// keys.
	// We need to remember this state so that, on next startup, we can
	// generate the "Login" vs "Connect" buttons correctly, without having
	// to contact the server to confirm our nodekey status first.
	LoggedOut bool

	// ShieldsUp indicates whether to block all incoming connections,
	// regardless of the control-provided packet filter. If false, we
	// use the packet filter as provided. If true, we block incoming
	// connections. This overrides tailcfg.Hostinfo's ShieldsUp.
	ShieldsUp bool

	// AdvertiseTags specifies groups that this node wants to join, for
	// purposes of ACL enforcement. These can be referenced from the ACL
	// security policy. Note that advertising a tag doesn't guarantee that
	// the control server will allow you to take on the rights for that
	// tag.
	AdvertiseTags []string

	// Hostname is the hostname to use for identifying the node. If
	// not set, os.Hostname is used.
	Hostname string

	// NotepadURLs is a debugging setting that opens OAuth URLs in
	// notepad.exe on Windows, rather than loading them in a browser.
	//
	// apenwarr 2020-04-29: Unfortunately this is still needed sometimes.
	// Windows' default browser setting is sometimes screwy and this helps
	// users narrow it down a bit.
	NotepadURLs bool

	// ForceDaemon specifies whether a platform that normally
	// operates in "client mode" (that is, requires an active user
	// logged in with the GUI app running) should keep running after the
	// GUI ends and/or the user logs out.
	//
	// The only current applicable platform is Windows. This
	// forced Windows to go into "server mode" where Tailscale is
	// running even with no users logged in. This might also be
	// used for macOS in the future. This setting has no effect
	// for Linux/etc, which always operate in daemon mode.
	ForceDaemon bool `json:"ForceDaemon,omitempty"`

	// Egg is a optional debug flag.
	Egg bool `json:",omitempty"`

	// AdvertiseRoutes specifies CIDR prefixes to advertise into the
	// Tailscale network as reachable through the current
	// node.
	AdvertiseRoutes []netip.Prefix

	// NoSNAT specifies whether to source NAT traffic going to
	// destinations in AdvertiseRoutes. The default is to apply source
	// NAT, which makes the traffic appear to come from the router
	// machine rather than the peer's Tailscale IP.
	//
	// Disabling SNAT requires additional manual configuration in your
	// network to route Tailscale traffic back to the subnet relay
	// machine.
	//
	// Linux-only.
	NoSNAT bool

	// NetfilterMode specifies how much to manage netfilter rules for
	// Tailscale, if at all.
	NetfilterMode preftype.NetfilterMode

	// OperatorUser is the local machine user name who is allowed to
	// operate tailscaled without being root or using sudo.
	OperatorUser string `json:",omitempty"`

	// ProfileName is the desired name of the profile. If empty, then the user's
	// LoginName is used. It is only used for display purposes in the client UI
	// and CLI.
	ProfileName string `json:",omitempty"`

	// AutoUpdate sets the auto-update preferences for the node agent. See
	// AutoUpdatePrefs docs for more details.
	AutoUpdate AutoUpdatePrefs

	// AppConnector sets the app connector preferences for the node agent. See
	// AppConnectorPrefs docs for more details.
	AppConnector AppConnectorPrefs

	// PostureChecking enables the collection of information used for device
	// posture checks.
	PostureChecking bool

	// NetfilterKind specifies what netfilter implementation to use.
	//
	// Linux-only.
	NetfilterKind string

	// The Persist field is named 'Config' in the file for backward
	// compatibility with earlier versions.
	// TODO(apenwarr): We should move this out of here, it's not a pref.
	//  We can maybe do that once we're sure which module should persist
	//  it (backend or frontend?)
	Persist *persist.Persist `json:"Config"`
}

Prefs are the user modifiable settings of the Tailscale node agent. When you add a Pref to this struct, remember to add a corresponding field in MaskedPrefs, and check your field for equality in Prefs.Equals().

func LoadPrefs

func LoadPrefs(filename string) (*Prefs, error)

LoadPrefs loads a legacy relaynode config file into Prefs with sensible migration defaults set.

func NewPrefs

func NewPrefs() *Prefs

NewPrefs returns the default preferences to use.

func PrefsFromBytes

func PrefsFromBytes(b []byte) (*Prefs, error)

PrefsFromBytes deserializes Prefs from a JSON blob.

func (*Prefs) AdminPageURL

func (p *Prefs) AdminPageURL() string

AdminPageURL returns the admin web site URL for the current ControlURL.

func (*Prefs) AdvertisesExitNode

func (p *Prefs) AdvertisesExitNode() bool

AdvertisesExitNode reports whether p is advertising both the v4 and v6 /0 exit node routes.

func (*Prefs) ApplyEdits

func (p *Prefs) ApplyEdits(m *MaskedPrefs)

ApplyEdits mutates p, assigning fields from m.Prefs for each MaskedPrefs Set field that's true.

func (*Prefs) ClearExitNode

func (p *Prefs) ClearExitNode()

ClearExitNode sets the ExitNodeID and ExitNodeIP to their zero values.

func (*Prefs) Clone

func (src *Prefs) Clone() *Prefs

Clone makes a deep copy of Prefs. The result aliases no memory with the original.

func (*Prefs) ControlURLOrDefault

func (p *Prefs) ControlURLOrDefault() string

ControlURLOrDefault returns the coordination server's URL base.

If not configured, or if the configured value is a legacy name equivalent to the default, then DefaultControlURL is returned instead.

func (*Prefs) Equals

func (p *Prefs) Equals(p2 *Prefs) bool

func (*Prefs) IsEmpty

func (p *Prefs) IsEmpty() bool

IsEmpty reports whether p is nil or pointing to a Prefs zero value.

func (*Prefs) Pretty

func (p *Prefs) Pretty() string

func (*Prefs) SetAdvertiseExitNode

func (p *Prefs) SetAdvertiseExitNode(runExit bool)

SetAdvertiseExitNode mutates p (if non-nil) to add or remove the two /0 exit node routes.

func (*Prefs) SetExitNodeIP

func (p *Prefs) SetExitNodeIP(s string, st *ipnstate.Status) error

SetExitNodeIP validates and sets the ExitNodeIP from a user-provided string specifying either an IP address or a MagicDNS base name ("foo", as opposed to "foo.bar.beta.tailscale.net"). This method does not mutate ExitNodeID and will fail if ExitNodeID is already set.

func (*Prefs) ShouldSSHBeRunning

func (p *Prefs) ShouldSSHBeRunning() bool

ShouldSSHBeRunning reports whether the SSH server should be running based on the prefs.

func (*Prefs) ShouldWebClientBeRunning

func (p *Prefs) ShouldWebClientBeRunning() bool

ShouldWebClientBeRunning reports whether the web client server should be running based on the prefs.

func (*Prefs) ToBytes

func (p *Prefs) ToBytes() []byte

func (*Prefs) View

func (p *Prefs) View() PrefsView

View returns a readonly view of Prefs.

type PrefsView

type PrefsView struct {
	// contains filtered or unexported fields
}

PrefsView provides a read-only view over Prefs.

Its methods should only be called if `Valid()` returns true.

func (PrefsView) AdminPageURL

func (p PrefsView) AdminPageURL() string

AdminPageURL returns the admin web site URL for the current ControlURL.

func (PrefsView) AdvertiseRoutes

func (v PrefsView) AdvertiseRoutes() views.Slice[netip.Prefix]

func (PrefsView) AdvertiseTags

func (v PrefsView) AdvertiseTags() views.Slice[string]

func (PrefsView) AdvertisesExitNode

func (p PrefsView) AdvertisesExitNode() bool

AdvertisesExitNode reports whether p is advertising both the v4 and v6 /0 exit node routes.

func (PrefsView) AllowSingleHosts

func (v PrefsView) AllowSingleHosts() bool

func (PrefsView) AppConnector

func (v PrefsView) AppConnector() AppConnectorPrefs

func (PrefsView) AsStruct

func (v PrefsView) AsStruct() *Prefs

AsStruct returns a clone of the underlying value which aliases no memory with the original.

func (PrefsView) AutoUpdate

func (v PrefsView) AutoUpdate() AutoUpdatePrefs

func (PrefsView) ControlURL

func (v PrefsView) ControlURL() string

func (PrefsView) ControlURLOrDefault

func (p PrefsView) ControlURLOrDefault() string

ControlURLOrDefault returns the coordination server's URL base.

If not configured, or if the configured value is a legacy name equivalent to the default, then DefaultControlURL is returned instead.

func (PrefsView) CorpDNS

func (v PrefsView) CorpDNS() bool

func (PrefsView) Egg

func (v PrefsView) Egg() bool

func (PrefsView) Equals

func (p PrefsView) Equals(p2 PrefsView) bool

func (PrefsView) ExitNodeAllowLANAccess

func (v PrefsView) ExitNodeAllowLANAccess() bool

func (PrefsView) ExitNodeID

func (v PrefsView) ExitNodeID() tailcfg.StableNodeID

func (PrefsView) ExitNodeIP

func (v PrefsView) ExitNodeIP() netip.Addr

func (PrefsView) ForceDaemon

func (v PrefsView) ForceDaemon() bool

func (PrefsView) Hostname

func (v PrefsView) Hostname() string

func (PrefsView) LoggedOut

func (v PrefsView) LoggedOut() bool

func (PrefsView) MarshalJSON

func (v PrefsView) MarshalJSON() ([]byte, error)

func (PrefsView) NetfilterKind

func (v PrefsView) NetfilterKind() string

func (PrefsView) NetfilterMode

func (v PrefsView) NetfilterMode() preftype.NetfilterMode

func (PrefsView) NoSNAT

func (v PrefsView) NoSNAT() bool

func (PrefsView) NotepadURLs

func (v PrefsView) NotepadURLs() bool

func (PrefsView) OperatorUser

func (v PrefsView) OperatorUser() string

func (PrefsView) Persist

func (v PrefsView) Persist() persist.PersistView

func (PrefsView) PostureChecking

func (v PrefsView) PostureChecking() bool

func (PrefsView) Pretty

func (p PrefsView) Pretty() string

func (PrefsView) ProfileName

func (v PrefsView) ProfileName() string

func (PrefsView) RouteAll

func (v PrefsView) RouteAll() bool

func (PrefsView) RunSSH

func (v PrefsView) RunSSH() bool

func (PrefsView) RunWebClient

func (v PrefsView) RunWebClient() bool

func (PrefsView) ShieldsUp

func (v PrefsView) ShieldsUp() bool

func (PrefsView) ShouldSSHBeRunning

func (p PrefsView) ShouldSSHBeRunning() bool

ShouldSSHBeRunning reports whether the SSH server should be running based on the prefs.

func (PrefsView) ShouldWebClientBeRunning

func (p PrefsView) ShouldWebClientBeRunning() bool

ShouldWebClientBeRunning reports whether the web client server should be running based on the prefs.

func (PrefsView) ToBytes

func (p PrefsView) ToBytes() []byte

func (*PrefsView) UnmarshalJSON

func (v *PrefsView) UnmarshalJSON(b []byte) error

func (PrefsView) Valid

func (v PrefsView) Valid() bool

Valid reports whether underlying value is non-nil.

func (PrefsView) WantRunning

func (v PrefsView) WantRunning() bool

type ProfileID

type ProfileID string

ProfileID is an auto-generated system-wide unique identifier for a login profile. It is a 4 character hex string like "1ab3".

type ServeConfig

type ServeConfig struct {
	// TCP are the list of TCP port numbers that tailscaled should handle for
	// the Tailscale IP addresses. (not subnet routers, etc)
	TCP map[uint16]*TCPPortHandler `json:",omitempty"`

	// Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlers
	// keyed by mount point ("/", "/foo", etc)
	Web map[HostPort]*WebServerConfig `json:",omitempty"`

	// AllowFunnel is the set of SNI:port values for which funnel
	// traffic is allowed, from trusted ingress peers.
	AllowFunnel map[HostPort]bool `json:",omitempty"`

	// Foreground is a map of an IPN Bus session ID to an alternate foreground
	// serve config that's valid for the life of that WatchIPNBus session ID.
	// This. This allows the config to specify ephemeral configs that are
	// used in the CLI's foreground mode to ensure ungraceful shutdowns
	// of either the client or the LocalBackend does not expose ports
	// that users are not aware of.
	Foreground map[string]*ServeConfig `json:",omitempty"`

	// ETag is the checksum of the serve config that's populated
	// by the LocalClient through the HTTP ETag header during a
	// GetServeConfig request and is translated to an If-Match header
	// during a SetServeConfig request.
	ETag string `json:"-"`
}

ServeConfig is the JSON type stored in the StateStore for StateKey "_serve/$PROFILE_ID" as returned by ServeConfigKey.

func (*ServeConfig) Clone

func (src *ServeConfig) Clone() *ServeConfig

Clone makes a deep copy of ServeConfig. The result aliases no memory with the original.

func (*ServeConfig) GetTCPPortHandler

func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler

GetTCPPortHandler returns the TCPPortHandler for the given port. If the port is not configured, nil is returned.

func (*ServeConfig) GetWebHandler

func (sc *ServeConfig) GetWebHandler(hp HostPort, mount string) *HTTPHandler

GetWebHandler returns the HTTPHandler for the given host:port and mount point. Returns nil if the handler does not exist.

func (*ServeConfig) HasPathHandler

func (sc *ServeConfig) HasPathHandler() bool

HasPathHandler reports whether if ServeConfig has at least one path handler, including foreground configs.

func (*ServeConfig) IsFunnelOn

func (sc *ServeConfig) IsFunnelOn() bool

IsFunnelOn reports whether if ServeConfig is currently allowing funnel traffic for any host:port.

func (*ServeConfig) IsServingHTTP

func (sc *ServeConfig) IsServingHTTP(port uint16) bool

IsServingHTTP reports whether if ServeConfig is currently serving HTTP on the given port. This is exclusive of HTTPS and TCPForwarding.

func (*ServeConfig) IsServingHTTPS

func (sc *ServeConfig) IsServingHTTPS(port uint16) bool

IsServingHTTPS reports whether if ServeConfig is currently serving HTTPS on the given port. This is exclusive of HTTP and TCPForwarding.

func (*ServeConfig) IsServingWeb

func (sc *ServeConfig) IsServingWeb(port uint16) bool

IsServingWeb reports whether if ServeConfig is currently serving Web (HTTP/HTTPS) on the given port. This is exclusive of TCPForwarding.

func (*ServeConfig) IsTCPForwardingAny

func (sc *ServeConfig) IsTCPForwardingAny() bool

IsTCPForwardingAny reports whether ServeConfig is currently forwarding in TCPForward mode on any port. This is exclusive of Web/HTTPS serving.

func (*ServeConfig) IsTCPForwardingOnPort

func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool

IsTCPForwardingOnPort reports whether if ServeConfig is currently forwarding in TCPForward mode on the given port. This is exclusive of Web/HTTPS serving.

func (*ServeConfig) View

func (p *ServeConfig) View() ServeConfigView

View returns a readonly view of ServeConfig.

func (*ServeConfig) WebHandlerExists

func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool

WebHandlerExists reports whether if the ServeConfig Web handler exists for the given host:port and mount point.

type ServeConfigView

type ServeConfigView struct {
	// contains filtered or unexported fields
}

ServeConfigView provides a read-only view over ServeConfig.

Its methods should only be called if `Valid()` returns true.

func (ServeConfigView) AllowFunnel

func (v ServeConfigView) AllowFunnel() views.Map[HostPort, bool]

func (ServeConfigView) AsStruct

func (v ServeConfigView) AsStruct() *ServeConfig

AsStruct returns a clone of the underlying value which aliases no memory with the original.

func (ServeConfigView) ETag

func (v ServeConfigView) ETag() string

func (ServeConfigView) FindTCP

func (v ServeConfigView) FindTCP(port uint16) (res TCPPortHandlerView, ok bool)

FindTCP returns the first TCP that matches with the given port. It prefers a foreground match first followed by a background search if none existed.

func (ServeConfigView) FindWeb

func (v ServeConfigView) FindWeb(hp HostPort) (res WebServerConfigView, ok bool)

FindWeb returns the first Web that matches with the given HostPort. It prefers a foreground match first followed by a background search if none existed.

func (ServeConfigView) Foreground

func (ServeConfigView) HasAllowFunnel

func (v ServeConfigView) HasAllowFunnel() bool

HasAllowFunnel returns whether this config has at least one AllowFunnel set in the background or foreground configs.

func (ServeConfigView) HasFunnelForTarget

func (v ServeConfigView) HasFunnelForTarget(target HostPort) bool

FindFunnel reports whether target exists in in either the background AllowFunnel or any of the foreground configs.

func (ServeConfigView) IsFunnelOn

func (v ServeConfigView) IsFunnelOn() bool

IsFunnelOn reports whether if ServeConfig is currently allowing funnel traffic for any host:port.

View version of ServeConfig.IsFunnelOn.

func (ServeConfigView) MarshalJSON

func (v ServeConfigView) MarshalJSON() ([]byte, error)

func (ServeConfigView) RangeOverTCPs

func (v ServeConfigView) RangeOverTCPs(f func(port uint16, _ TCPPortHandlerView) bool)

RangeOverTCPs ranges over both background and foreground TCPs. If the returned bool from the given f is false, then this function stops iterating immediately and does not check other foreground configs.

func (ServeConfigView) RangeOverWebs

func (v ServeConfigView) RangeOverWebs(f func(_ HostPort, conf WebServerConfigView) bool)

RangeOverWebs ranges over both background and foreground Webs. If the returned bool from the given f is false, then this function stops iterating immediately and does not check other foreground configs.

func (ServeConfigView) TCP

func (*ServeConfigView) UnmarshalJSON

func (v *ServeConfigView) UnmarshalJSON(b []byte) error

func (ServeConfigView) Valid

func (v ServeConfigView) Valid() bool

Valid reports whether underlying value is non-nil.

func (ServeConfigView) Web

type State

type State int
const (
	NoState          State = 0
	InUseOtherUser   State = 1
	NeedsLogin       State = 2
	NeedsMachineAuth State = 3
	Stopped          State = 4
	Starting         State = 5
	Running          State = 6
)

func (State) String

func (s State) String() string

type StateKey

type StateKey string

StateKey is an opaque identifier for a set of LocalBackend state (preferences, private keys, etc.). It is also used as a key for the various LoginProfiles that the instance may be signed into.

Additionally, the StateKey can be debug setting name:

  • "_debug_magicsock_until" with value being a unix timestamp stringified
  • "_debug_<component>_until" with value being a unix timestamp stringified

func CurrentProfileKey

func CurrentProfileKey(userID string) StateKey

CurrentProfileID returns the StateKey that stores the current profile ID. The value is a JSON-encoded LoginProfile. If the userID is empty, the key returned is CurrentProfileStateKey, otherwise it is "_current/"+userID.

func ServeConfigKey

func ServeConfigKey(profileID ProfileID) StateKey

ServeConfigKey returns a StateKey that stores the JSON-encoded ServeConfig for a config profile.

type StateStore

type StateStore interface {
	// ReadState returns the bytes associated with ID. Returns (nil,
	// ErrStateNotExist) if the ID doesn't have associated state.
	ReadState(id StateKey) ([]byte, error)
	// WriteState saves bs as the state associated with ID.
	//
	// Callers should generally use the ipn.WriteState wrapper func
	// instead, which only writes if the value is different from what's
	// already in the store.
	WriteState(id StateKey, bs []byte) error
}

StateStore persists state, and produces it back on request.

type StateStoreDialerSetter

type StateStoreDialerSetter interface {
	SetDialer(d func(ctx context.Context, network, address string) (net.Conn, error))
}

StateStoreDialerSetter is an optional interface that StateStores can implement to allow the caller to set a custom dialer.

type TCPPortHandler

type TCPPortHandler struct {
	// HTTPS, if true, means that tailscaled should handle this connection as an
	// HTTPS request as configured by ServeConfig.Web.
	//
	// It is mutually exclusive with TCPForward.
	HTTPS bool `json:",omitempty"`

	// HTTP, if true, means that tailscaled should handle this connection as an
	// HTTP request as configured by ServeConfig.Web.
	//
	// It is mutually exclusive with TCPForward.
	HTTP bool `json:",omitempty"`

	// TCPForward is the IP:port to forward TCP connections to.
	// Whether or not TLS is terminated by tailscaled depends on
	// TerminateTLS.
	//
	// It is mutually exclusive with HTTPS.
	TCPForward string `json:",omitempty"`

	// TerminateTLS, if non-empty, means that tailscaled should terminate the
	// TLS connections before forwarding them to TCPForward, permitting only the
	// SNI name with this value. It is only used if TCPForward is non-empty.
	// (the HTTPS mode uses ServeConfig.Web)
	TerminateTLS string `json:",omitempty"`
}

TCPPortHandler describes what to do when handling a TCP connection.

func (*TCPPortHandler) Clone

func (src *TCPPortHandler) Clone() *TCPPortHandler

Clone makes a deep copy of TCPPortHandler. The result aliases no memory with the original.

func (*TCPPortHandler) View

View returns a readonly view of TCPPortHandler.

type TCPPortHandlerView

type TCPPortHandlerView struct {
	// contains filtered or unexported fields
}

TCPPortHandlerView provides a read-only view over TCPPortHandler.

Its methods should only be called if `Valid()` returns true.

func (TCPPortHandlerView) AsStruct

func (v TCPPortHandlerView) AsStruct() *TCPPortHandler

AsStruct returns a clone of the underlying value which aliases no memory with the original.

func (TCPPortHandlerView) HTTP

func (v TCPPortHandlerView) HTTP() bool

func (TCPPortHandlerView) HTTPS

func (v TCPPortHandlerView) HTTPS() bool

func (TCPPortHandlerView) MarshalJSON

func (v TCPPortHandlerView) MarshalJSON() ([]byte, error)

func (TCPPortHandlerView) TCPForward

func (v TCPPortHandlerView) TCPForward() string

func (TCPPortHandlerView) TerminateTLS

func (v TCPPortHandlerView) TerminateTLS() string

func (*TCPPortHandlerView) UnmarshalJSON

func (v *TCPPortHandlerView) UnmarshalJSON(b []byte) error

func (TCPPortHandlerView) Valid

func (v TCPPortHandlerView) Valid() bool

Valid reports whether underlying value is non-nil.

type WebServerConfig

type WebServerConfig struct {
	Handlers map[string]*HTTPHandler // mountPoint => handler
}

WebServerConfig describes a web server's configuration.

func (*WebServerConfig) Clone

func (src *WebServerConfig) Clone() *WebServerConfig

Clone makes a deep copy of WebServerConfig. The result aliases no memory with the original.

func (*WebServerConfig) View

View returns a readonly view of WebServerConfig.

type WebServerConfigView

type WebServerConfigView struct {
	// contains filtered or unexported fields
}

WebServerConfigView provides a read-only view over WebServerConfig.

Its methods should only be called if `Valid()` returns true.

func (WebServerConfigView) AsStruct

func (v WebServerConfigView) AsStruct() *WebServerConfig

AsStruct returns a clone of the underlying value which aliases no memory with the original.

func (WebServerConfigView) Handlers

func (WebServerConfigView) MarshalJSON

func (v WebServerConfigView) MarshalJSON() ([]byte, error)

func (*WebServerConfigView) UnmarshalJSON

func (v *WebServerConfigView) UnmarshalJSON(b []byte) error

func (WebServerConfigView) Valid

func (v WebServerConfigView) Valid() bool

Valid reports whether underlying value is non-nil.

type WindowsUserID

type WindowsUserID string

WindowsUserID is a userid (suitable for passing to ipnauth.LookupUserFromID or os/user.LookupId) but only set on Windows. It's empty on all other platforms, unless envknob.GOOS is in used, making Linux act like Windows for tests.

Directories

Path Synopsis
Package conffile contains code to load, manipulate, and access config file settings.
Package conffile contains code to load, manipulate, and access config file settings.
Package ipnauth controls access to the LocalAPI.
Package ipnauth controls access to the LocalAPI.
Package ipnstate captures the entire state of the Tailscale network.
Package ipnstate captures the entire state of the Tailscale network.
Package localapi contains the HTTP server handlers for tailscaled's API server.
Package localapi contains the HTTP server handlers for tailscaled's API server.
Package policy contains various policy decisions that need to be shared between the node client & control server.
Package policy contains various policy decisions that need to be shared between the node client & control server.
Package store provides various implementation of ipn.StateStore.
Package store provides various implementation of ipn.StateStore.
awsstore
Package awsstore contains an ipn.StateStore implementation using AWS SSM.
Package awsstore contains an ipn.StateStore implementation using AWS SSM.
mem
Package mem provides an in-memory ipn.StateStore implementation.
Package mem provides an in-memory ipn.StateStore implementation.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL