ipn

package

v1.92.2Latest Latest

This package is not in the latest version of its module.

Go to latest Published: Dec 10, 2025 License:BSD-3-ClauseImports:46Imported by:119

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/tailscale/tailscale

Documentation ¶

Overview¶

Package ipn implements the interactions between the Tailscale cloudcontrol plane and the local network stack.

IPN is the abbreviated name for a Tailscale network. What's lessclear is what it's an abbreviation for: Identified Private Network?IP Network? Internet Private Network? I Privately Network?

Index¶

Constants¶

View Source

const (// MachineKeyStateKey is the key under which we store the machine key,// in its key.NodePrivate.MarshalText representation.MachineKeyStateKey =StateKey("_machinekey")// LegacyGlobalDaemonStateKey is the ipn.StateKey that tailscaled// loads on startup.//// We have to support multiple state keys for other OSes (Windows in// particular), but right now Unix daemons run with a single// node-global state. To keep open the option of having per-user state// later, the global state key doesn't look like a username.//// As of 2022-10-21, it has been superseded by profiles and is no longer// written to disk. It is only read at startup when there are no profiles,// to migrate the state to the "default" profile.// The existing state is left on disk in case the user downgrades to an// older version of Tailscale that doesn't support profiles. We can// remove this in a future release.LegacyGlobalDaemonStateKey =StateKey("_daemon")// ServerModeStartKey's value, if non-empty, is the value of a// StateKey containing the prefs to start with which to start the// server.//// For example, the value might be "user-1234", meaning the// the server should start with the Prefs JSON loaded from// StateKey "user-1234".ServerModeStartKey =StateKey("server-mode-start-key")// KnownProfilesStateKey is the key under which we store the list of// known profiles. The value is a JSON-encoded []LoginProfile.KnownProfilesStateKey =StateKey("_profiles")// CurrentProfileStateKey is the key under which we store the current// profile.CurrentProfileStateKey =StateKey("_current-profile")// TaildropReceivedKey is the key to indicate whether any taildrop file// has ever been received (even if partially).// Any non-empty value indicates that at least one file has been received.TaildropReceivedKey =StateKey("_taildrop-received"))

View Source

const (// AutoExitNodePrefix is the prefix used in [syspolicy.ExitNodeID] values and CLI// to indicate that the string following the prefix is an [ipn.ExitNodeExpression].AutoExitNodePrefix = "auto:")

View Source

const DefaultControlURL = "https://controlplane.tailscale.com"

DefaultControlURL is the URL base of the control plane("coordination server") for use when no explicit one is configured.The default control plane is the hosted version run by Tailscale.com.

View Source

const GoogleIDTokenType = "ts_android_google_login"

GoogleIDToken Type is the tailcfg.Oauth2Token.TokenType for the GoogleID tokens used by the Android client.

Variables¶

View Source

var DebuggableComponents = []string{"magicsock","sockstats","syspolicy",}

DebuggableComponents is a list of components whose debugging can be turned onand off individually using the tailscale debug command.

View Source

var (// ErrExitNodeIDAlreadySet is returned from (*Prefs).SetExitNodeIP when the// Prefs.ExitNodeID field is already set.ErrExitNodeIDAlreadySet =errors.New("cannot set ExitNodeIP when ExitNodeID is already set"))

View Source

var ErrStateNotExist =errors.New("no state with given ID")

ErrStateNotExist is returned by StateStore.ReadState when therequested state ID doesn't exist.

View Source

var StateStoreHealth =health.Register(&health.Warnable{Code:     "state-store-health",Severity:health.SeverityHigh,Title:    "Tailscale state store failed to initialize",Text: func(argshealth.Args)string {returnfmt.Sprintf("State store failed to initialize, Tailscale will not work until this is resolved. See https://tailscale.com/s/state-store-init-error. Error: %s", args[health.ArgError])},ImpactsConnectivity:true,})

StateStoreHealth is a Warnable set when store.New fails at startup. Ifunhealthy, we block all login attempts and return a health message in statusresponses.

Functions¶

funcCheckFunnelAccess ¶added inv1.38.0

func CheckFunnelAccess(portuint16, node *ipnstate.PeerStatus)error

CheckFunnelAccess checks whether Funnel access is allowed for the given nodeand port.It checks:

HTTPS is enabled on the tailnet
the node has the "funnel" nodeAttr
the port is allowed for Funnel

The node arg should be the ipnstate.Status.Self node.

funcCheckFunnelPort ¶added inv1.48.0

func CheckFunnelPort(wantedPortuint16, node *ipnstate.PeerStatus)error

CheckFunnelPort checks whether the given port is allowed for Funnel.It uses the tailcfg.CapabilityFunnelPorts nodeAttr to determine the allowedports.

funcExpandProxyTargetValue ¶added inv1.62.0

func ExpandProxyTargetValue(targetstring, supportedSchemes []string, defaultSchemestring) (string,error)

ExpandProxyTargetValue expands the supported target values to be proxiedallowing for input values to be a port number, a partial URL, or a full URLincluding a path. If it's for a service, remote addresses are allowed andthere doesn't have to be a port specified.

examples:

3000
localhost:3000
tcp://localhost:3000
http://localhost:3000
https://localhost:3000
https-insecure://localhost:3000
https-insecure://localhost:3000/foo
https://tailscale.com

funcIsLoginServerSynonym ¶added inv1.12.0

func IsLoginServerSynonym(valany)bool

IsLoginServerSynonym reports whether a URL is a drop-in replacementfor the primary Tailscale login server.

funcNodeCanFunnel ¶added inv1.62.0

func NodeCanFunnel(node *ipnstate.PeerStatus)error

NodeCanFunnel returns an error if the given node is not configured to allowfor Tailscale Funnel usage.

funcPrefsFromBytes ¶

func PrefsFromBytes(b []byte, base *Prefs)error

PrefsFromBytes deserializes Prefs from a JSON blob b into base. Values inbase are preserved, unless they are populated in the JSON blob.

funcPutStoreInt ¶added inv1.32.0

func PutStoreInt(storeStateStore, idStateKey, valint64)error

PutStoreInt puts an integer into a StateStore.

funcReadStoreInt ¶added inv1.32.0

func ReadStoreInt(storeStateStore, idStateKey) (int64,error)

ReadStoreInt reads an integer from a StateStore.

funcSavePrefs ¶

func SavePrefs(filenamestring, p *Prefs)

funcWriteState ¶added inv1.48.0

func WriteState(storeStateStore, idStateKey, v []byte)error

WriteState is a wrapper around store.WriteState that only writes ifthe value is different from what's already in the store.

Types¶

typeAppConnectorPrefs ¶added inv1.54.0

type AppConnectorPrefs struct {// Advertise specifies whether the app connector subsystem is advertising// this node as a connector.Advertisebool}

AppConnectorPrefs are the app connector settings for the node agent.

func (AppConnectorPrefs)Pretty ¶added inv1.54.0

func (apAppConnectorPrefs) Pretty()string

typeAutoUpdatePrefs ¶added inv1.50.0

type AutoUpdatePrefs struct {// Check specifies whether background checks for updates are enabled. When// enabled, tailscaled will periodically check for available updates and// notify the user about them.Checkbool// Apply specifies whether background auto-updates are enabled. When// enabled, tailscaled will apply available updates in the background.// Check must also be set when Apply is set.Applyopt.Bool}

AutoUpdatePrefs are the auto update settings for the node agent.

func (AutoUpdatePrefs)Equals ¶added inv1.58.0

func (au1AutoUpdatePrefs) Equals(au2AutoUpdatePrefs)bool

func (AutoUpdatePrefs)Pretty ¶added inv1.50.0

func (auAutoUpdatePrefs) Pretty()string

typeAutoUpdatePrefsMask ¶added inv1.56.0

type AutoUpdatePrefsMask struct {CheckSetbool `json:",omitempty"`ApplySetbool `json:",omitempty"`}

func (AutoUpdatePrefsMask)Pretty ¶added inv1.56.0

func (mAutoUpdatePrefsMask) Pretty(auAutoUpdatePrefs)string

typeConfigVAlpha ¶added inv1.52.0

type ConfigVAlpha struct {Versionstring// "alpha0" for nowLockedopt.Bool `json:",omitempty"`// whether the config is locked from being changed by 'tailscale set'; it defaults to trueServerURL *string  `json:",omitempty"`// defaults tohttps://controlplane.tailscale.comAuthKey   *string  `json:",omitempty"`// as needed if NeedsLogin. either key or path to a file (if prefixed with "file:")Enabledopt.Bool `json:",omitempty"`// wantRunning; empty string defaults to trueOperatorUser *string `json:",omitempty"`// local user name who is allowed to operate tailscaled without being root or using sudoHostname     *string `json:",omitempty"`AcceptDNSopt.Bool `json:"acceptDNS,omitempty"`// --accept-dnsAcceptRoutesopt.Bool `json:"acceptRoutes,omitempty"`// --accept-routes defaults to trueExitNode                   *string  `json:"exitNode,omitempty"`// IP, StableID, or MagicDNS base nameAllowLANWhileUsingExitNodeopt.Bool `json:"allowLANWhileUsingExitNode,omitempty"`AdvertiseRoutes []netip.Prefix `json:",omitempty"`DisableSNATopt.Bool       `json:",omitempty"`AdvertiseServices []string `json:",omitempty"`AppConnector *AppConnectorPrefs `json:",omitempty"`// advertise app connector; defaults to false (if nil or explicitly set to false)NetfilterMode       *string  `json:",omitempty"`// "on", "off", "nodivert"NoStatefulFilteringopt.Bool `json:",omitempty"`PostureCheckingopt.Bool         `json:",omitempty"`RunSSHServeropt.Bool         `json:",omitempty"`// Tailscale SSHRunWebClientopt.Bool         `json:",omitempty"`ShieldsUpopt.Bool         `json:",omitempty"`AutoUpdate      *AutoUpdatePrefs `json:",omitempty"`ServeConfigTemp *ServeConfig     `json:",omitempty"`// TODO(bradfitz,maisem): make separate stable type for this// StaticEndpoints are additional, user-defined endpoints that this node// should advertise amongst its wireguard endpoints.StaticEndpoints []netip.AddrPort `json:",omitempty"`}

ConfigVAlpha is the config file format for the "alpha0" version.

func (*ConfigVAlpha)ToPrefs ¶added inv1.52.0

func (c *ConfigVAlpha) ToPrefs() (MaskedPrefs,error)

typeEncryptedStateStore ¶added inv1.86.0

type EncryptedStateStore interface {// contains filtered or unexported methods}

EncryptedStateStore is a marker interface implemented by StateStores thatencrypt data at rest.

typeEngineStatus ¶

type EngineStatus struct {RBytes, WBytesint64NumLiveintLiveDERPsint// number of active DERP connectionsLivePeers      map[key.NodePublic]ipnstate.PeerStatusLite}

EngineStatus contains WireGuard engine stats.

typeExitNodeExpression ¶added inv1.86.0

type ExitNodeExpressionstring

ExitNodeExpression is a string that specifies how an exit nodeshould be selected. An empty string means that no exit nodeshould be selected.

As of 2025-07-02, the only supported value isAnyExitNode.

const AnyExitNodeExitNodeExpression = "any"

AnyExitNode indicates that the exit node should be automaticallyselected from the pool of available exit nodes, excluding anydisallowed by policy (e.g., [syspolicy.AllowedSuggestedExitNodes]).The exact implementation is subject to change, but exit nodesoffering the best performance will be preferred.

funcParseAutoExitNodeString ¶added inv1.86.0

func ParseAutoExitNodeString[T ~string](s T) (_ExitNodeExpression, okbool)

ParseAutoExitNodeString attempts to parse the given stringas anExitNodeExpression.

It returns the parsed expression and true on success,or an empty string and false if the input does not appear to beanExitNodeExpression (i.e., it doesn't start with "auto:").

It is mainly used to parse the [syspolicy.ExitNodeID] valuewhen it is set to "auto:<expression>" (e.g., auto:any).

func (ExitNodeExpression)IsSet ¶added inv1.86.0

func (eExitNodeExpression) IsSet()bool

IsSet reports whether the expression is non-empty and can be usedto select an exit node.

typeExitNodeLocalIPError ¶added inv1.24.0

type ExitNodeLocalIPError struct {// contains filtered or unexported fields}

ExitNodeLocalIPError is returned when the requested IP address for an exitnode belongs to the local machine.

func (ExitNodeLocalIPError)Error ¶added inv1.24.0

func (eExitNodeLocalIPError) Error()string

typeFunnelConn ¶added inv1.38.0

type FunnelConn struct {// Conn is the underlying connection.net.Conn// Target is what was presented in the "Tailscale-Ingress-Target"// HTTP header.TargetHostPort// Src is the source address of the connection.// This is the address of the client that initiated the// connection, not the address of the Tailscale Funnel// node which is relaying the connection. That address// can be found in Conn.RemoteAddr.Srcnetip.AddrPort}

A FunnelConn wraps a net.Conn that is coming over aFunnel connection. It can be used to determine furtherinformation about the connection, like the source addressand the target SNI name.

typeHTTPHandler ¶added inv1.34.0

type HTTPHandler struct {Pathstring `json:",omitempty"`// absolute path to directory or file to serveProxystring `json:",omitempty"`//http://localhost:3000/, localhost:3030, 3030Textstring `json:",omitempty"`// plaintext to serve (primarily for testing)AcceptAppCaps []tailcfg.PeerCapability `json:",omitempty"`// peer capabilities to forward in grant header, e.g. example.com/cap/mon// Redirect, if not empty, is the target URL to redirect requests to.// By default, we redirect with HTTP 302 (Found) status.// If Redirect starts with '<httpcode>:', then we use that status instead.//// The target URL supports the following expansion variables://   - ${HOST}: replaced with the request's Host header value//   - ${REQUEST_URI}: replaced with the request's full URI (path and query string)Redirectstring `json:",omitempty"`}

HTTPHandler is either a path or a proxy to serve.

func (*HTTPHandler)Clone ¶added inv1.34.0

func (src *HTTPHandler) Clone() *HTTPHandler

Clone makes a deep copy of HTTPHandler.The result aliases no memory with the original.

func (*HTTPHandler)View ¶added inv1.34.0

func (p *HTTPHandler) View()HTTPHandlerView

View returns a read-only view of HTTPHandler.

typeHTTPHandlerView ¶added inv1.34.0

type HTTPHandlerView struct {// contains filtered or unexported fields}

HTTPHandlerView provides a read-only view over HTTPHandler.

Its methods should only be called if `Valid()` returns true.

func (HTTPHandlerView)AcceptAppCaps ¶added inv1.92.0

func (vHTTPHandlerView) AcceptAppCaps()views.Slice[tailcfg.PeerCapability]

peer capabilities to forward in grant header, e.g. example.com/cap/mon

func (HTTPHandlerView)AsStruct ¶added inv1.34.0

func (vHTTPHandlerView) AsStruct() *HTTPHandler

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (HTTPHandlerView)MarshalJSON ¶added inv1.34.0

func (vHTTPHandlerView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (HTTPHandlerView)MarshalJSONTo ¶added inv1.88.0

func (vHTTPHandlerView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (HTTPHandlerView)Path ¶added inv1.34.0

func (vHTTPHandlerView) Path()string

absolute path to directory or file to serve

func (HTTPHandlerView)Proxy ¶added inv1.34.0

func (vHTTPHandlerView) Proxy()string

http://localhost:3000/, localhost:3030, 3030

func (HTTPHandlerView)Redirect ¶added inv1.92.0

func (vHTTPHandlerView) Redirect()string

Redirect, if not empty, is the target URL to redirect requests to.By default, we redirect with HTTP 302 (Found) status.If Redirect starts with '<httpcode>:', then we use that status instead.

The target URL supports the following expansion variables:

${HOST}: replaced with the request's Host header value
${REQUEST_URI}: replaced with the request's full URI (path and query string)

func (HTTPHandlerView)Text ¶added inv1.34.0

func (vHTTPHandlerView) Text()string

plaintext to serve (primarily for testing)

func (*HTTPHandlerView)UnmarshalJSON ¶added inv1.34.0

func (v *HTTPHandlerView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*HTTPHandlerView)UnmarshalJSONFrom ¶added inv1.88.0

func (v *HTTPHandlerView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (HTTPHandlerView)Valid ¶added inv1.34.0

func (vHTTPHandlerView) Valid()bool

Valid reports whether v's underlying value is non-nil.

typeHostPort ¶added inv1.34.0

type HostPortstring

HostPort is an SNI name and port number, joined by a colon.There is no implicit port 443. It must contain a colon.

func (HostPort)Port ¶added inv1.50.0

func (hpHostPort) Port() (uint16,error)

Port extracts just the port number from hp.An error is reported in the case that the hp does nothave a valid numeric port ending.

typeLoginProfile ¶added inv1.34.0

type LoginProfile struct {// ID is a unique identifier for this profile.// It is assigned on creation and never changes.// It may seem redundant to have both ID and UserProfile.ID// but they are different things. UserProfile.ID may change// over time (e.g. if a device is tagged).IDProfileID// Name is the user-visible name of this profile.// It is filled in from the UserProfile.LoginName field.Namestring// NetworkProfile is a subset of netmap.NetworkMap that we// store to remember information about the tailnet that this// profile was logged in with.//// This field was added on 2023-11-17.NetworkProfileNetworkProfile// Key is the StateKey under which the profile is stored.// It is assigned once at profile creation time and never changes.KeyStateKey// UserProfile is the server provided UserProfile for this profile.// This is updated whenever the server provides a new UserProfile.UserProfiletailcfg.UserProfile// NodeID is the NodeID of the node that this profile is logged into.// This should be stable across tagging and untagging nodes.// It may seem redundant to check against both the UserProfile.UserID// and the NodeID. However the NodeID can change if the node is deleted// from the admin panel.NodeIDtailcfg.StableNodeID// LocalUserID is the user ID of the user who created this profile.// It is only relevant on Windows where we have a multi-user system.// It is assigned once at profile creation time and never changes.LocalUserIDWindowsUserID// ControlURL is the URL of the control server that this profile is logged// into.ControlURLstring}

LoginProfile represents a single login profile as managedby the ProfileManager.

func (*LoginProfile)Clone ¶added inv1.82.0

func (src *LoginProfile) Clone() *LoginProfile

Clone makes a deep copy of LoginProfile.The result aliases no memory with the original.

func (*LoginProfile)Equals ¶added inv1.84.0

func (p *LoginProfile) Equals(p2 *LoginProfile)bool

Equals reports whether p and p2 are equal.

func (*LoginProfile)View ¶added inv1.82.0

func (p *LoginProfile) View()LoginProfileView

View returns a read-only view of LoginProfile.

typeLoginProfileView ¶added inv1.82.0

type LoginProfileView struct {// contains filtered or unexported fields}

LoginProfileView provides a read-only view over LoginProfile.

Its methods should only be called if `Valid()` returns true.

func (LoginProfileView)AsStruct ¶added inv1.82.0

func (vLoginProfileView) AsStruct() *LoginProfile

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (LoginProfileView)ControlURL ¶added inv1.82.0

func (vLoginProfileView) ControlURL()string

ControlURL is the URL of the control server that this profile is loggedinto.

func (LoginProfileView)Equals ¶added inv1.84.0

func (pLoginProfileView) Equals(p2LoginProfileView)bool

Equals reports whether p and p2 are equal.

func (LoginProfileView)ID ¶added inv1.82.0

func (vLoginProfileView) ID()ProfileID

ID is a unique identifier for this profile.It is assigned on creation and never changes.It may seem redundant to have both ID and UserProfile.IDbut they are different things. UserProfile.ID may changeover time (e.g. if a device is tagged).

func (LoginProfileView)Key ¶added inv1.82.0

func (vLoginProfileView) Key()StateKey

Key is the StateKey under which the profile is stored.It is assigned once at profile creation time and never changes.

func (LoginProfileView)LocalUserID ¶added inv1.82.0

func (vLoginProfileView) LocalUserID()WindowsUserID

LocalUserID is the user ID of the user who created this profile.It is only relevant on Windows where we have a multi-user system.It is assigned once at profile creation time and never changes.

func (LoginProfileView)MarshalJSON ¶added inv1.82.0

func (vLoginProfileView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (LoginProfileView)MarshalJSONTo ¶added inv1.88.0

func (vLoginProfileView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (LoginProfileView)Name ¶added inv1.82.0

func (vLoginProfileView) Name()string

Name is the user-visible name of this profile.It is filled in from the UserProfile.LoginName field.

func (LoginProfileView)NetworkProfile ¶added inv1.82.0

func (vLoginProfileView) NetworkProfile()NetworkProfile

NetworkProfile is a subset of netmap.NetworkMap that westore to remember information about the tailnet that thisprofile was logged in with.

This field was added on 2023-11-17.

func (LoginProfileView)NodeID ¶added inv1.82.0

func (vLoginProfileView) NodeID()tailcfg.StableNodeID

NodeID is the NodeID of the node that this profile is logged into.This should be stable across tagging and untagging nodes.It may seem redundant to check against both the UserProfile.UserIDand the NodeID. However the NodeID can change if the node is deletedfrom the admin panel.

func (*LoginProfileView)UnmarshalJSON ¶added inv1.82.0

func (v *LoginProfileView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*LoginProfileView)UnmarshalJSONFrom ¶added inv1.88.0

func (v *LoginProfileView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (LoginProfileView)UserProfile ¶added inv1.82.0

func (vLoginProfileView) UserProfile()tailcfg.UserProfile

UserProfile is the server provided UserProfile for this profile.This is updated whenever the server provides a new UserProfile.

func (LoginProfileView)Valid ¶added inv1.82.0

func (vLoginProfileView) Valid()bool

Valid reports whether v's underlying value is non-nil.

typeMaskedPrefs ¶added inv1.8.0

type MaskedPrefs struct {PrefsControlURLSetbool                `json:",omitempty"`RouteAllSetbool                `json:",omitempty"`ExitNodeIDSetbool                `json:",omitempty"`ExitNodeIPSetbool                `json:",omitempty"`AutoExitNodeSetbool                `json:",omitempty"`InternalExitNodePriorSetbool                `json:",omitempty"`// Internal; can't be set by LocalAPI clientsExitNodeAllowLANAccessSetbool                `json:",omitempty"`CorpDNSSetbool                `json:",omitempty"`RunSSHSetbool                `json:",omitempty"`RunWebClientSetbool                `json:",omitempty"`WantRunningSetbool                `json:",omitempty"`LoggedOutSetbool                `json:",omitempty"`ShieldsUpSetbool                `json:",omitempty"`AdvertiseTagsSetbool                `json:",omitempty"`HostnameSetbool                `json:",omitempty"`NotepadURLsSetbool                `json:",omitempty"`ForceDaemonSetbool                `json:",omitempty"`EggSetbool                `json:",omitempty"`AdvertiseRoutesSetbool                `json:",omitempty"`AdvertiseServicesSetbool                `json:",omitempty"`SyncSetbool                `json:",omitzero"`NoSNATSetbool                `json:",omitempty"`NoStatefulFilteringSetbool                `json:",omitempty"`NetfilterModeSetbool                `json:",omitempty"`OperatorUserSetbool                `json:",omitempty"`ProfileNameSetbool                `json:",omitempty"`AutoUpdateSetAutoUpdatePrefsMask `json:",omitzero"`AppConnectorSetbool                `json:",omitempty"`PostureCheckingSetbool                `json:",omitempty"`NetfilterKindSetbool                `json:",omitempty"`DriveSharesSetbool                `json:",omitempty"`RelayServerPortSetbool                `json:",omitempty"`RelayServerStaticEndpointsSetbool                `json:",omitzero"`}

MaskedPrefs is a Prefs with an associated bitmask of which fields are set.

Each FooSet field maps to a corresponding Foo field in Prefs. FooSet can bea struct, in which case inner fields of FooSet map to inner fields of Foo inPrefs (see AutoUpdateSet for example).

func (*MaskedPrefs)IsEmpty ¶added inv1.34.0

func (m *MaskedPrefs) IsEmpty()bool

IsEmpty reports whether there are no masks set or if m is nil.

func (*MaskedPrefs)Pretty ¶added inv1.8.0

func (m *MaskedPrefs) Pretty()string

func (*MaskedPrefs)SetsInternal ¶added inv1.64.0

func (mp *MaskedPrefs) SetsInternal()bool

SetsInternal reports whether mp has any of the Internal*Set field bools setto true.

typeNetworkProfile ¶added inv1.56.0

type NetworkProfile struct {MagicDNSNamestringDomainNamestringDisplayNamestring}

NetworkProfile is a subset of netmap.NetworkMapthat should be saved with each user profile.

func (NetworkProfile)DisplayNameOrDefault ¶added inv1.88.0

func (nNetworkProfile) DisplayNameOrDefault()string

DisplayNameOrDefault will always return a non-empty string.If there is a defined display name, it will return that.If they did not it will default to their domain name.

func (NetworkProfile)RequiresBackfill ¶added inv1.56.0

func (nNetworkProfile) RequiresBackfill()bool

RequiresBackfill returns whether this object does not have all the dataexpected. This is because this struct is a later addition to LoginProfile andthis method can be checked to see if it's been backfilled to the currentexpectation or not. Note that for now, it just checks if the struct is empty.In the future, if we have new optional fields, this method can be changed todo more explicit checks to return whether it's apt for a backfill or not.

typeNotify ¶

type Notify struct {Versionstring// version number of IPN backend// SessionID identifies the unique WatchIPNBus session.// This field is only set in the first message when requesting// NotifyInitialState. Clients must store it on their side as// following notifications will not include this field.SessionIDstring `json:",omitzero"`// ErrMessage, if non-nil, contains a critical error message.// For State InUseOtherUser, ErrMessage is not critical and just contains the details.ErrMessage *stringLoginFinished *empty.Message// non-nil when/if the login process succeededState         *State// if non-nil, the new or current IPN statePrefs         *PrefsView// if non-nil && Valid, the new or current preferencesNetMap        *netmap.NetworkMap// if non-nil, the new or current netmapEngine        *EngineStatus// if non-nil, the new or current wireguard statsBrowseToURL   *string// if non-nil, UI should open a browser right now// FilesWaiting if non-nil means that files are buffered in// the Tailscale daemon and ready for local transfer to the// user's preferred storage location.//// Deprecated: use LocalClient.AwaitWaitingFiles instead.FilesWaiting *empty.Message `json:",omitzero"`// IncomingFiles, if non-nil, specifies which files are in the// process of being received. A nil IncomingFiles means this// Notify should not update the state of file transfers. A non-nil// but empty IncomingFiles means that no files are in the middle// of being transferred.//// Deprecated: use LocalClient.AwaitWaitingFiles instead.IncomingFiles []PartialFile `json:",omitzero"`// OutgoingFiles, if non-nil, tracks which files are in the process of// being sent via TailDrop, including files that finished, whether// successful or failed. This slice is sorted by Started time, then Name.OutgoingFiles []*OutgoingFile `json:",omitzero"`// LocalTCPPort, if non-nil, informs the UI frontend which// (non-zero) localhost TCP port it's listening on.// This is currently only used by Tailscale when run in the// macOS Network Extension.LocalTCPPort *uint16 `json:",omitzero"`// ClientVersion, if non-nil, describes whether a client version update// is available.ClientVersion *tailcfg.ClientVersion `json:",omitzero"`// DriveShares tracks the full set of current DriveShares that we're// publishing. Some client applications, like the MacOS and Windows clients,// will listen for updates to this and handle serving these shares under// the identity of the unprivileged user that is running the application. A// nil value here means that we're not broadcasting shares information, an// empty value means that there are no shares.DriveSharesviews.SliceView[*drive.Share,drive.ShareView]// Health is the last-known health state of the backend. When this field is// non-nil, a change in health verified, and the API client should surface// any changes to the user in the UI.Health *health.State `json:",omitzero"`// SuggestedExitNode, if non-nil, is the node that the backend has determined to// be the best exit node for the current network conditions.SuggestedExitNode *tailcfg.StableNodeID `json:",omitzero"`// contains filtered or unexported fields}

Notify is a communication from a backend (e.g. tailscaled) to a frontend(cmd/tailscale, iOS, macOS, Win Tasktray).In any given notification, any or all of these may be nil, meaningthat they have not changed.They are JSON-encoded on the wire, despite the lack of struct tags.

func (Notify)String ¶added inv1.8.0

func (nNotify) String()string

typeNotifyWatchOpt ¶added inv1.34.0

type NotifyWatchOptuint64

NotifyWatchOpt is a bitmask of options about what type of Notify messagesto subscribe to.

const (// NotifyWatchEngineUpdates, if set, causes Engine updates to be sent to the// client either regularly or when they change, without having to ask for// each one via Engine.RequestStatus.NotifyWatchEngineUpdatesNotifyWatchOpt = 1 << 0NotifyInitialStateNotifyWatchOpt = 1 << 1// if set, the first Notify message (sent immediately) will contain the current State + BrowseToURL + SessionIDNotifyInitialPrefsNotifyWatchOpt = 1 << 2// if set, the first Notify message (sent immediately) will contain the current PrefsNotifyInitialNetMapNotifyWatchOpt = 1 << 3// if set, the first Notify message (sent immediately) will contain the current NetMapNotifyNoPrivateKeysNotifyWatchOpt = 1 << 4// (no-op) it used to redact private keys; now they always are and this does nothingNotifyInitialDriveSharesNotifyWatchOpt = 1 << 5// if set, the first Notify message (sent immediately) will contain the current Taildrive SharesNotifyInitialOutgoingFilesNotifyWatchOpt = 1 << 6// if set, the first Notify message (sent immediately) will contain the current Taildrop OutgoingFilesNotifyInitialHealthStateNotifyWatchOpt = 1 << 7// if set, the first Notify message (sent immediately) will contain the current health.State of the clientNotifyRateLimitNotifyWatchOpt = 1 << 8// if set, rate limit spammy netmap updates to every few secondsNotifyHealthActionsNotifyWatchOpt = 1 << 9// if set, include PrimaryActions in health.State. Otherwise append the action URL to the textNotifyInitialSuggestedExitNodeNotifyWatchOpt = 1 << 10// if set, the first Notify message (sent immediately) will contain the current SuggestedExitNode if available)

NotifyWatchOpt values.

These aren't declared using Go's iota because they're not purely internal tothe process and iota should not be used for values that are serialized todisk or network. In this case, these values come over the network via theLocalAPI, a mostly stable API.

typeOptions ¶

type Options struct {// FrontendLogID is the public logtail id used by the frontend.FrontendLogIDstring// UpdatePrefs, if provided, overrides the Prefs already stored in the// backend state, *except* for the Persist member.//// TODO(apenwarr): Rename this to Prefs, and possibly move Prefs.Persist// elsewhere entirely (as it always should have been).UpdatePrefs *Prefs// AuthKey is an optional node auth key used to authorize a// new node key without user interaction.AuthKeystring}

typeOutgoingFile ¶added inv1.64.0

type OutgoingFile struct {IDstring               `json:",omitempty"`// unique identifier for this transfer (a type 4 UUID)PeerIDtailcfg.StableNodeID `json:",omitempty"`// identifier for the peer to which this is being transferredNamestring               `json:",omitempty"`// e.g. "foo.jpg"Startedtime.Time// time transfer startedDeclaredSizeint64// or -1 if unknownSentint64// bytes copied thus farFinishedbool// indicates whether or not the transfer finishedSucceededbool// for a finished transfer, indicates whether or not it was successful}

OutgoingFile represents an in-progress outgoing file transfer.

typePartialFile ¶added inv1.8.0

type PartialFile struct {Namestring// e.g. "foo.jpg"Startedtime.Time// time transfer startedDeclaredSizeint64// or -1 if unknownReceivedint64// bytes copied thus far// PartialPath is set non-empty in "direct" file mode to the// in-progress '*.partial' file's path when the peerapi isn't// being used; see LocalBackend.SetDirectFileRoot.PartialPathstring `json:",omitempty"`FinalPathstring `json:",omitempty"`// Done is set in "direct" mode when the partial file has been// closed and is ready for the caller to rename away the// ".partial" suffix.Donebool `json:",omitempty"`}

PartialFile represents an in-progress incoming file transfer.

typePrefs ¶

type Prefs struct {// ControlURL is the URL of the control server to use.//// If empty, the default for new installs, DefaultControlURL// is used. It's set non-empty once the daemon has been started// for the first time.//// TODO(apenwarr): Make it safe to update this with EditPrefs().// Right now, you have to pass it in the initial prefs in Start(),// which is the only code that actually uses the ControlURL value.// It would be more consistent to restart controlclient// automatically whenever this variable changes.//// Meanwhile, you have to provide this as part of// Options.LegacyMigrationPrefs or Options.UpdatePrefs when// calling Backend.Start().ControlURLstring// RouteAll specifies whether to accept subnets advertised by// other nodes on the Tailscale network. Note that this does not// include default routes (0.0.0.0/0 and ::/0), those are// controlled by ExitNodeID/IP below.RouteAllbool// ExitNodeID and ExitNodeIP specify the node that should be used// as an exit node for internet traffic. At most one of these// should be non-zero.//// The preferred way to express the chosen node is ExitNodeID, but// in some cases it's not possible to use that ID (e.g. in the// linux CLI, before tailscaled has a netmap). For those// situations, we allow specifying the exit node by IP, and// ipnlocal.LocalBackend will translate the IP into an ID when the// node is found in the netmap.//// If the selected exit node doesn't exist (e.g. it's not part of// the current tailnet), or it doesn't offer exit node services, a// blackhole route will be installed on the local system to// prevent any traffic escaping to the local network.ExitNodeIDtailcfg.StableNodeIDExitNodeIPnetip.Addr// AutoExitNode is an optional expression that specifies whether and how// tailscaled should pick an exit node automatically.//// If specified, tailscaled will use an exit node based on the expression,// and will re-evaluate the selection periodically as network conditions,// available exit nodes, or policy settings change. A blackhole route will// be installed to prevent traffic from escaping to the local network until// an exit node is selected. It takes precedence over ExitNodeID and ExitNodeIP.//// If empty, tailscaled will not automatically select an exit node.//// If the specified expression is invalid or unsupported by the client,// it falls back to the behavior of [AnyExitNode].//// As of 2025-07-02, the only supported value is [AnyExitNode].// It's a string rather than a boolean to allow future extensibility// (e.g., AutoExitNode = "mullvad" or AutoExitNode = "geo:us").AutoExitNodeExitNodeExpression `json:",omitempty"`// InternalExitNodePrior is the most recently used ExitNodeID in string form. It is set by// the backend on transition from exit node on to off and used by the// backend.//// As an Internal field, it can't be set by LocalAPI clients, rather it is set indirectly// when the ExitNodeID value is zero'd and via the set-use-exit-node-enabled endpoint.InternalExitNodePriortailcfg.StableNodeID// ExitNodeAllowLANAccess indicates whether locally accessible subnets should be// routed directly or via the exit node.ExitNodeAllowLANAccessbool// CorpDNS specifies whether to install the Tailscale network's// DNS configuration, if it exists.CorpDNSbool// RunSSH bool is whether this node should run an SSH// server, permitting access to peers according to the// policies as configured by the Tailnet's admin(s).RunSSHbool// RunWebClient bool is whether this node should expose// its web client over Tailscale at port 5252,// permitting access to peers according to the// policies as configured by the Tailnet's admin(s).RunWebClientbool// WantRunning indicates whether networking should be active on// this node.WantRunningbool// LoggedOut indicates whether the user intends to be logged out.// There are other reasons we may be logged out, including no valid// keys.// We need to remember this state so that, on next startup, we can// generate the "Login" vs "Connect" buttons correctly, without having// to contact the server to confirm our nodekey status first.LoggedOutbool// ShieldsUp indicates whether to block all incoming connections,// regardless of the control-provided packet filter. If false, we// use the packet filter as provided. If true, we block incoming// connections. This overrides tailcfg.Hostinfo's ShieldsUp.ShieldsUpbool// AdvertiseTags specifies tags that should be applied to this node, for// purposes of ACL enforcement. These can be referenced from the ACL policy// document. Note that advertising a tag on the client doesn't guarantee// that the control server will allow the node to adopt that tag.AdvertiseTags []string// Hostname is the hostname to use for identifying the node. If// not set, os.Hostname is used.Hostnamestring// NotepadURLs is a debugging setting that opens OAuth URLs in// notepad.exe on Windows, rather than loading them in a browser.//// apenwarr 2020-04-29: Unfortunately this is still needed sometimes.// Windows' default browser setting is sometimes screwy and this helps// users narrow it down a bit.NotepadURLsbool// ForceDaemon specifies whether a platform that normally// operates in "client mode" (that is, requires an active user// logged in with the GUI app running) should keep running after the// GUI ends and/or the user logs out.//// The only current applicable platform is Windows. This// forced Windows to go into "server mode" where Tailscale is// running even with no users logged in. This might also be// used for macOS in the future. This setting has no effect// for Linux/etc, which always operate in daemon mode.ForceDaemonbool `json:"ForceDaemon,omitempty"`// Egg is a optional debug flag.Eggbool `json:",omitempty"`// AdvertiseRoutes specifies CIDR prefixes to advertise into the// Tailscale network as reachable through the current// node.AdvertiseRoutes []netip.Prefix// AdvertiseServices specifies the list of services that this// node can serve as a destination for. Note that an advertised// service must still go through the approval process from the// control server.AdvertiseServices []string// Sync is whether this node should sync its configuration from// the control plane. If unset, this defaults to true.// This exists primarily for testing, to verify that netmap caching// and offline operation work correctly.Syncopt.Bool// NoSNAT specifies whether to source NAT traffic going to// destinations in AdvertiseRoutes. The default is to apply source// NAT, which makes the traffic appear to come from the router// machine rather than the peer's Tailscale IP.//// Disabling SNAT requires additional manual configuration in your// network to route Tailscale traffic back to the subnet relay// machine.//// Linux-only.NoSNATbool// NoStatefulFiltering specifies whether to apply stateful filtering when// advertising routes in AdvertiseRoutes. The default is to not apply// stateful filtering.//// To allow inbound connections from advertised routes, both NoSNAT and// NoStatefulFiltering must be true.//// This is an opt.Bool because it was first added after NoSNAT, with a// backfill based on the value of that parameter. The backfill has been// removed since then, but the field remains an opt.Bool.//// Linux-only.NoStatefulFilteringopt.Bool `json:",omitempty"`// NetfilterMode specifies how much to manage netfilter rules for// Tailscale, if at all.NetfilterModepreftype.NetfilterMode// OperatorUser is the local machine user name who is allowed to// operate tailscaled without being root or using sudo.OperatorUserstring `json:",omitempty"`// ProfileName is the desired name of the profile. If empty, then the user's// LoginName is used. It is only used for display purposes in the client UI// and CLI.ProfileNamestring `json:",omitempty"`// AutoUpdate sets the auto-update preferences for the node agent. See// AutoUpdatePrefs docs for more details.AutoUpdateAutoUpdatePrefs// AppConnector sets the app connector preferences for the node agent. See// AppConnectorPrefs docs for more details.AppConnectorAppConnectorPrefs// PostureChecking enables the collection of information used for device// posture checks.//// Note: this should be named ReportPosture, but it was shipped as// PostureChecking in some early releases and this JSON field is written to// disk, so we just keep its old name. (akin to CorpDNS which is an internal// pref name that doesn't match the public interface)PostureCheckingbool// NetfilterKind specifies what netfilter implementation to use.//// It can be "iptables", "nftables", or "" to auto-detect.//// Linux-only.NetfilterKindstring// DriveShares are the configured DriveShares, stored in increasing order// by name.DriveShares []*drive.Share// RelayServerPort is the UDP port number for the relay server to bind to,// on all interfaces. A non-nil zero value signifies a random unused port// should be used. A nil value signifies relay server functionality// should be disabled.RelayServerPort *uint16 `json:",omitempty"`// RelayServerStaticEndpoints are static IP:port endpoints to advertise as// candidates for relay connections. Only relevant when RelayServerPort is// non-nil.RelayServerStaticEndpoints []netip.AddrPort `json:",omitempty"`// AllowSingleHosts was a legacy field that was always true// for the past 4.5 years. It controlled whether Tailscale// peers got /32 or /128 routes for each other.// As of 2024-05-17 we're starting to ignore it, but to let// people still downgrade Tailscale versions and not break// all peer-to-peer networking we still write it to disk (as JSON)// so it can be loaded back by old versions.// TODO(bradfitz): delete this in 2025 sometime. See #12058.AllowSingleHosts marshalAsTrueInJSON// The Persist field is named 'Config' in the file for backward// compatibility with earlier versions.// TODO(apenwarr): We should move this out of here, it's not a pref.//  We can maybe do that once we're sure which module should persist//  it (backend or frontend?)Persist *persist.Persist `json:"Config"`}

Prefs are the user modifiable settings of the Tailscale node agent.When you add a Pref to this struct, remember to add a correspondingfield in MaskedPrefs, and check your field for equality in Prefs.Equals().

funcLoadPrefsWindows ¶added inv1.66.0

func LoadPrefsWindows(filenamestring) (*Prefs,error)

LoadPrefsWindows loads a legacy relaynode config file into Prefs withsensible migration defaults set. Windows-only.

funcNewPrefs ¶

func NewPrefs() *Prefs

NewPrefs returns the default preferences to use.

func (*Prefs)AdminPageURL ¶added inv1.12.0

func (p *Prefs) AdminPageURL(polcpolicyclient.Client)string

AdminPageURL returns the admin web site URL for the current ControlURL.

func (*Prefs)AdvertisesExitNode ¶added inv1.20.0

func (p *Prefs) AdvertisesExitNode()bool

AdvertisesExitNode reports whether p is advertising both the v4 andv6 /0 exit node routes.

func (*Prefs)ApplyEdits ¶added inv1.8.0

func (p *Prefs) ApplyEdits(m *MaskedPrefs)

ApplyEdits mutates p, assigning fields from m.Prefs for each MaskedPrefsSet field that's true.

func (*Prefs)ClearExitNode ¶added inv1.24.0

func (p *Prefs) ClearExitNode()

ClearExitNode sets the ExitNodeID and ExitNodeIP to their zero values.

func (*Prefs)Clone ¶

func (src *Prefs) Clone() *Prefs

Clone makes a deep copy of Prefs.The result aliases no memory with the original.

func (*Prefs)ControlURLOrDefault ¶added inv1.8.0

func (p *Prefs) ControlURLOrDefault(polcpolicyclient.Client)string

ControlURLOrDefault returns the coordination server's URL base.

If not configured, or if the configured value is a legacy name equivalent tothe default, then DefaultControlURL is returned instead.

func (*Prefs)DefaultRouteAll ¶added inv1.84.0

func (p *Prefs) DefaultRouteAll(goosstring)bool

DefaultRouteAll returns the default value of [Prefs.RouteAll] as a functionof the platform it's running on.

func (*Prefs)Equals ¶

func (p *Prefs) Equals(p2 *Prefs)bool

func (*Prefs)IsEmpty ¶

func (p *Prefs) IsEmpty()bool

IsEmpty reports whether p is nil or pointing to a Prefs zero value.

func (*Prefs)Pretty ¶

func (p *Prefs) Pretty()string

func (*Prefs)SetAdvertiseExitNode ¶added inv1.20.0

func (p *Prefs) SetAdvertiseExitNode(runExitbool)

SetAdvertiseExitNode mutates p (if non-nil) to add or remove the two/0 exit node routes.

func (*Prefs)SetExitNodeIP ¶added inv1.24.0

func (p *Prefs) SetExitNodeIP(sstring, st *ipnstate.Status)error

SetExitNodeIP validates and sets the ExitNodeIP from a user-provided stringspecifying either an IP address or a MagicDNS base name ("foo", as opposed to"foo.bar.beta.tailscale.net"). This method does not mutate ExitNodeID andwill fail if ExitNodeID is already set.

func (*Prefs)ShouldSSHBeRunning ¶added inv1.26.0

func (p *Prefs) ShouldSSHBeRunning()bool

ShouldSSHBeRunning reports whether the SSH server should be running based onthe prefs.

func (*Prefs)ShouldWebClientBeRunning ¶added inv1.54.0

func (p *Prefs) ShouldWebClientBeRunning()bool

ShouldWebClientBeRunning reports whether the web client server should be running based onthe prefs.

func (*Prefs)ToBytes ¶

func (p *Prefs) ToBytes() []byte

func (*Prefs)View ¶added inv1.32.3

func (p *Prefs) View()PrefsView

View returns a read-only view of Prefs.

typePrefsView ¶added inv1.32.3

type PrefsView struct {// contains filtered or unexported fields}

PrefsView provides a read-only view over Prefs.

Its methods should only be called if `Valid()` returns true.

func (PrefsView)AdminPageURL ¶added inv1.34.0

func (pPrefsView) AdminPageURL(polcpolicyclient.Client)string

AdminPageURL returns the admin web site URL for the current ControlURL.

func (PrefsView)AdvertiseRoutes ¶added inv1.32.3

func (vPrefsView) AdvertiseRoutes()views.Slice[netip.Prefix]

AdvertiseRoutes specifies CIDR prefixes to advertise into theTailscale network as reachable through the currentnode.

func (PrefsView)AdvertiseServices ¶added inv1.78.0

func (vPrefsView) AdvertiseServices()views.Slice[string]

AdvertiseServices specifies the list of services that thisnode can serve as a destination for. Note that an advertisedservice must still go through the approval process from thecontrol server.

func (PrefsView)AdvertiseTags ¶added inv1.32.3

func (vPrefsView) AdvertiseTags()views.Slice[string]

AdvertiseTags specifies tags that should be applied to this node, forpurposes of ACL enforcement. These can be referenced from the ACL policydocument. Note that advertising a tag on the client doesn't guaranteethat the control server will allow the node to adopt that tag.

func (PrefsView)AdvertisesExitNode ¶added inv1.34.0

func (pPrefsView) AdvertisesExitNode()bool

AdvertisesExitNode reports whether p is advertising both the v4 andv6 /0 exit node routes.

func (PrefsView)AllowSingleHosts ¶added inv1.32.3

func (vPrefsView) AllowSingleHosts() marshalAsTrueInJSON

AllowSingleHosts was a legacy field that was always truefor the past 4.5 years. It controlled whether Tailscalepeers got /32 or /128 routes for each other.As of 2024-05-17 we're starting to ignore it, but to letpeople still downgrade Tailscale versions and not breakall peer-to-peer networking we still write it to disk (as JSON)so it can be loaded back by old versions.TODO(bradfitz): delete this in 2025 sometime. See #12058.

func (PrefsView)AppConnector ¶added inv1.54.0

func (vPrefsView) AppConnector()AppConnectorPrefs

AppConnector sets the app connector preferences for the node agent. SeeAppConnectorPrefs docs for more details.

func (PrefsView)AsStruct ¶added inv1.32.3

func (vPrefsView) AsStruct() *Prefs

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (PrefsView)AutoExitNode ¶added inv1.86.0

func (vPrefsView) AutoExitNode()ExitNodeExpression

AutoExitNode is an optional expression that specifies whether and howtailscaled should pick an exit node automatically.

If specified, tailscaled will use an exit node based on the expression,and will re-evaluate the selection periodically as network conditions,available exit nodes, or policy settings change. A blackhole route willbe installed to prevent traffic from escaping to the local network untilan exit node is selected. It takes precedence over ExitNodeID and ExitNodeIP.

If empty, tailscaled will not automatically select an exit node.

If the specified expression is invalid or unsupported by the client,it falls back to the behavior ofAnyExitNode.

As of 2025-07-02, the only supported value isAnyExitNode.It's a string rather than a boolean to allow future extensibility(e.g., AutoExitNode = "mullvad" or AutoExitNode = "geo:us").

func (PrefsView)AutoUpdate ¶added inv1.50.0

func (vPrefsView) AutoUpdate()AutoUpdatePrefs

AutoUpdate sets the auto-update preferences for the node agent. SeeAutoUpdatePrefs docs for more details.

func (PrefsView)ControlURL ¶added inv1.32.3

func (vPrefsView) ControlURL()string

ControlURL is the URL of the control server to use.

If empty, the default for new installs, DefaultControlURLis used. It's set non-empty once the daemon has been startedfor the first time.

TODO(apenwarr): Make it safe to update this with EditPrefs().Right now, you have to pass it in the initial prefs in Start(),which is the only code that actually uses the ControlURL value.It would be more consistent to restart controlclientautomatically whenever this variable changes.

Meanwhile, you have to provide this as part ofOptions.LegacyMigrationPrefs or Options.UpdatePrefs whencalling Backend.Start().

func (PrefsView)ControlURLOrDefault ¶added inv1.32.3

func (pPrefsView) ControlURLOrDefault(polcpolicyclient.Client)string

ControlURLOrDefault returns the coordination server's URL base.

If not configured, or if the configured value is a legacy name equivalent tothe default, then DefaultControlURL is returned instead.

func (PrefsView)CorpDNS ¶added inv1.32.3

func (vPrefsView) CorpDNS()bool

CorpDNS specifies whether to install the Tailscale network'sDNS configuration, if it exists.

func (PrefsView)DriveShares ¶added inv1.64.0

func (vPrefsView) DriveShares()views.SliceView[*drive.Share,drive.ShareView]

DriveShares are the configured DriveShares, stored in increasing orderby name.

func (PrefsView)Egg ¶added inv1.32.3

func (vPrefsView) Egg()bool

Egg is a optional debug flag.

func (PrefsView)Equals ¶added inv1.32.3

func (pPrefsView) Equals(p2PrefsView)bool

func (PrefsView)ExitNodeAllowLANAccess ¶added inv1.32.3

func (vPrefsView) ExitNodeAllowLANAccess()bool

ExitNodeAllowLANAccess indicates whether locally accessible subnets should berouted directly or via the exit node.

func (PrefsView)ExitNodeID ¶added inv1.32.3

func (vPrefsView) ExitNodeID()tailcfg.StableNodeID

ExitNodeID and ExitNodeIP specify the node that should be usedas an exit node for internet traffic. At most one of theseshould be non-zero.

The preferred way to express the chosen node is ExitNodeID, butin some cases it's not possible to use that ID (e.g. in thelinux CLI, before tailscaled has a netmap). For thosesituations, we allow specifying the exit node by IP, andipnlocal.LocalBackend will translate the IP into an ID when thenode is found in the netmap.

If the selected exit node doesn't exist (e.g. it's not part ofthe current tailnet), or it doesn't offer exit node services, ablackhole route will be installed on the local system toprevent any traffic escaping to the local network.

func (PrefsView)ExitNodeIP ¶added inv1.32.3

func (vPrefsView) ExitNodeIP()netip.Addr

func (PrefsView)ForceDaemon ¶added inv1.32.3

func (vPrefsView) ForceDaemon()bool

ForceDaemon specifies whether a platform that normallyoperates in "client mode" (that is, requires an active userlogged in with the GUI app running) should keep running after theGUI ends and/or the user logs out.

The only current applicable platform is Windows. Thisforced Windows to go into "server mode" where Tailscale isrunning even with no users logged in. This might also beused for macOS in the future. This setting has no effectfor Linux/etc, which always operate in daemon mode.

func (PrefsView)Hostname ¶added inv1.32.3

func (vPrefsView) Hostname()string

Hostname is the hostname to use for identifying the node. Ifnot set, os.Hostname is used.

func (PrefsView)InternalExitNodePrior ¶added inv1.64.0

func (vPrefsView) InternalExitNodePrior()tailcfg.StableNodeID

InternalExitNodePrior is the most recently used ExitNodeID in string form. It is set bythe backend on transition from exit node on to off and used by thebackend.

As an Internal field, it can't be set by LocalAPI clients, rather it is set indirectlywhen the ExitNodeID value is zero'd and via the set-use-exit-node-enabled endpoint.

func (PrefsView)LoggedOut ¶added inv1.32.3

func (vPrefsView) LoggedOut()bool

LoggedOut indicates whether the user intends to be logged out.There are other reasons we may be logged out, including no validkeys.We need to remember this state so that, on next startup, we cangenerate the "Login" vs "Connect" buttons correctly, without havingto contact the server to confirm our nodekey status first.

func (PrefsView)MarshalJSON ¶added inv1.32.3

func (vPrefsView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (PrefsView)MarshalJSONTo ¶added inv1.88.0

func (vPrefsView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (PrefsView)NetfilterKind ¶added inv1.56.0

func (vPrefsView) NetfilterKind()string

NetfilterKind specifies what netfilter implementation to use.

It can be "iptables", "nftables", or "" to auto-detect.

Linux-only.

func (PrefsView)NetfilterMode ¶added inv1.32.3

func (vPrefsView) NetfilterMode()preftype.NetfilterMode

NetfilterMode specifies how much to manage netfilter rules forTailscale, if at all.

func (PrefsView)NoSNAT ¶added inv1.32.3

func (vPrefsView) NoSNAT()bool

NoSNAT specifies whether to source NAT traffic going todestinations in AdvertiseRoutes. The default is to apply sourceNAT, which makes the traffic appear to come from the routermachine rather than the peer's Tailscale IP.

Disabling SNAT requires additional manual configuration in yournetwork to route Tailscale traffic back to the subnet relaymachine.

Linux-only.

func (PrefsView)NoStatefulFiltering ¶added inv1.66.0

func (vPrefsView) NoStatefulFiltering()opt.Bool

NoStatefulFiltering specifies whether to apply stateful filtering whenadvertising routes in AdvertiseRoutes. The default is to not applystateful filtering.

To allow inbound connections from advertised routes, both NoSNAT andNoStatefulFiltering must be true.

This is an opt.Bool because it was first added after NoSNAT, with abackfill based on the value of that parameter. The backfill has beenremoved since then, but the field remains an opt.Bool.

Linux-only.

func (PrefsView)NotepadURLs ¶added inv1.32.3

func (vPrefsView) NotepadURLs()bool

NotepadURLs is a debugging setting that opens OAuth URLs innotepad.exe on Windows, rather than loading them in a browser.

apenwarr 2020-04-29: Unfortunately this is still needed sometimes.Windows' default browser setting is sometimes screwy and this helpsusers narrow it down a bit.

func (PrefsView)OperatorUser ¶added inv1.32.3

func (vPrefsView) OperatorUser()string

OperatorUser is the local machine user name who is allowed tooperate tailscaled without being root or using sudo.

func (PrefsView)Persist ¶added inv1.32.3

func (vPrefsView) Persist()persist.PersistView

The Persist field is named 'Config' in the file for backwardcompatibility with earlier versions.TODO(apenwarr): We should move this out of here, it's not a pref.

We can maybe do that once we're sure which module should persistit (backend or frontend?)

func (PrefsView)PostureChecking ¶added inv1.52.0

func (vPrefsView) PostureChecking()bool

PostureChecking enables the collection of information used for deviceposture checks.

Note: this should be named ReportPosture, but it was shipped asPostureChecking in some early releases and this JSON field is written todisk, so we just keep its old name. (akin to CorpDNS which is an internalpref name that doesn't match the public interface)

func (PrefsView)Pretty ¶added inv1.32.3

func (pPrefsView) Pretty()string

func (PrefsView)ProfileName ¶added inv1.34.0

func (vPrefsView) ProfileName()string

ProfileName is the desired name of the profile. If empty, then the user'sLoginName is used. It is only used for display purposes in the client UIand CLI.

func (PrefsView)RelayServerPort ¶added inv1.84.0

func (vPrefsView) RelayServerPort()views.ValuePointer[uint16]

RelayServerPort is the UDP port number for the relay server to bind to,on all interfaces. A non-nil zero value signifies a random unused portshould be used. A nil value signifies relay server functionalityshould be disabled.

func (PrefsView)RelayServerStaticEndpoints ¶added inv1.92.0

func (vPrefsView) RelayServerStaticEndpoints()views.Slice[netip.AddrPort]

RelayServerStaticEndpoints are static IP:port endpoints to advertise ascandidates for relay connections. Only relevant when RelayServerPort isnon-nil.

func (PrefsView)RouteAll ¶added inv1.32.3

func (vPrefsView) RouteAll()bool

RouteAll specifies whether to accept subnets advertised byother nodes on the Tailscale network. Note that this does notinclude default routes (0.0.0.0/0 and ::/0), those arecontrolled by ExitNodeID/IP below.

func (PrefsView)RunSSH ¶added inv1.32.3

func (vPrefsView) RunSSH()bool

RunSSH bool is whether this node should run an SSHserver, permitting access to peers according to thepolicies as configured by the Tailnet's admin(s).

func (PrefsView)RunWebClient ¶added inv1.54.0

func (vPrefsView) RunWebClient()bool

RunWebClient bool is whether this node should exposeits web client over Tailscale at port 5252,permitting access to peers according to thepolicies as configured by the Tailnet's admin(s).

func (PrefsView)ShieldsUp ¶added inv1.32.3

func (vPrefsView) ShieldsUp()bool

ShieldsUp indicates whether to block all incoming connections,regardless of the control-provided packet filter. If false, weuse the packet filter as provided. If true, we block incomingconnections. This overrides tailcfg.Hostinfo's ShieldsUp.

func (PrefsView)ShouldSSHBeRunning ¶added inv1.32.3

func (pPrefsView) ShouldSSHBeRunning()bool

ShouldSSHBeRunning reports whether the SSH server should be running based onthe prefs.

func (PrefsView)ShouldWebClientBeRunning ¶added inv1.54.0

func (pPrefsView) ShouldWebClientBeRunning()bool

ShouldWebClientBeRunning reports whether the web client server should be running based onthe prefs.

func (PrefsView)Sync ¶added inv1.92.0

func (vPrefsView) Sync()opt.Bool

Sync is whether this node should sync its configuration fromthe control plane. If unset, this defaults to true.This exists primarily for testing, to verify that netmap cachingand offline operation work correctly.

func (PrefsView)ToBytes ¶added inv1.32.3

func (pPrefsView) ToBytes() []byte

func (*PrefsView)UnmarshalJSON ¶added inv1.32.3

func (v *PrefsView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*PrefsView)UnmarshalJSONFrom ¶added inv1.88.0

func (v *PrefsView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (PrefsView)Valid ¶added inv1.32.3

func (vPrefsView) Valid()bool

Valid reports whether v's underlying value is non-nil.

func (PrefsView)WantRunning ¶added inv1.32.3

func (vPrefsView) WantRunning()bool

WantRunning indicates whether networking should be active onthis node.

typeProfileID ¶added inv1.34.0

type ProfileIDstring

ProfileID is an auto-generated system-wide unique identifier for a loginprofile. It is a 4 character hex string like "1ab3".

typeServeConfig ¶added inv1.34.0

type ServeConfig struct {// TCP are the list of TCP port numbers that tailscaled should handle for// the Tailscale IP addresses. (not subnet routers, etc)TCP map[uint16]*TCPPortHandler `json:",omitempty"`// Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlers// keyed by mount point ("/", "/foo", etc)Web map[HostPort]*WebServerConfig `json:",omitempty"`// Services maps from service name (in the form "svc:dns-label") to a ServiceConfig.// Which describes the L3, L4, and L7 forwarding information for the service.Services map[tailcfg.ServiceName]*ServiceConfig `json:",omitempty"`// AllowFunnel is the set of SNI:port values for which funnel// traffic is allowed, from trusted ingress peers.AllowFunnel map[HostPort]bool `json:",omitempty"`// Foreground is a map of an IPN Bus session ID to an alternate foreground serve config that's valid for the// life of that WatchIPNBus session ID. This allows the config to specify ephemeral configs that are used// in the CLI's foreground mode to ensure ungraceful shutdowns of either the client or the LocalBackend does not// expose ports that users are not aware of. In practice this contains any serve config set via 'tailscale// serve' command run without the '--bg' flag. ServeConfig contained by Foreground is not expected itself to contain// another Foreground block.Foreground map[string]*ServeConfig `json:",omitempty"`// ETag is the checksum of the serve config that's populated// by the LocalClient through the HTTP ETag header during a// GetServeConfig request and is translated to an If-Match header// during a SetServeConfig request.ETagstring `json:"-"`}

ServeConfig is the JSON type stored in the StateStore forStateKey "_serve/$PROFILE_ID" as returned by ServeConfigKey.

func (*ServeConfig)Clone ¶added inv1.34.0

func (src *ServeConfig) Clone() *ServeConfig

Clone makes a deep copy of ServeConfig.The result aliases no memory with the original.

func (*ServeConfig)FindConfig ¶added inv1.62.0

func (sc *ServeConfig) FindConfig(portuint16) (*ServeConfig,bool)

FindConfig finds a config that contains the given port, which can bethe top level background config or an inner foreground one.The second result is true if it's foreground.

func (*ServeConfig)GetTCPPortHandler ¶added inv1.34.0

func (sc *ServeConfig) GetTCPPortHandler(portuint16, svcNametailcfg.ServiceName) *TCPPortHandler

GetTCPPortHandler returns the TCPPortHandler for the given port. If the portis not configured, nil is returned. Parameter svcName can be tailcfg.NoServicefor local serve or a service name for a service hosted on node.

func (*ServeConfig)GetWebHandler ¶added inv1.34.0

func (sc *ServeConfig) GetWebHandler(svcNametailcfg.ServiceName, hpHostPort, mountstring) *HTTPHandler

GetWebHandler returns the HTTPHandler for the given host:port and mount point.Returns nil if the handler does not exist.

func (*ServeConfig)HasPathHandler ¶added inv1.44.3

func (sc *ServeConfig) HasPathHandler()bool

HasPathHandler reports whether if ServeConfig has at leastone path handler, including foreground configs.

func (*ServeConfig)IsFunnelOn ¶added inv1.34.0

func (sc *ServeConfig) IsFunnelOn()bool

IsFunnelOn reports whether any funnel endpoint is currently enabled for this node.

func (*ServeConfig)IsServingHTTP ¶added inv1.44.0

func (sc *ServeConfig) IsServingHTTP(portuint16, svcNametailcfg.ServiceName)bool

IsServingHTTP reports whether ServeConfig is currently serving HTTP on thegiven port for local or a service. svcName will be either tailcfg.NoService forlocal serve, or a serviceName for service hosted on node. This is exclusivewith HTTPS and TCPForwarding.

func (*ServeConfig)IsServingHTTPS ¶added inv1.44.0

func (sc *ServeConfig) IsServingHTTPS(portuint16, svcNametailcfg.ServiceName)bool

IsServingHTTPS reports whether ServeConfig is currently serving HTTPS onthe given port for local or a service. svcName will be either tailcfg.NoServicefor local serve, or a serviceName for service hosted on node. This is exclusivewith HTTP and TCPForwarding.

func (*ServeConfig)IsServingWeb ¶added inv1.34.0

func (sc *ServeConfig) IsServingWeb(portuint16, svcNametailcfg.ServiceName)bool

IsServingWeb reports whether ServeConfig is currently serving Web (HTTP/HTTPS)on the given port for local or a service. svcName will be either tailcfg.NoService,or a serviceName for service hosted on node. This is exclusive with TCPForwarding.

func (*ServeConfig)IsTCPForwardingAny ¶added inv1.34.0

func (sc *ServeConfig) IsTCPForwardingAny()bool

IsTCPForwardingAny reports whether ServeConfig is currently forwarding inTCPForward mode on any port. This is exclusive of Web/HTTPS serving.

func (*ServeConfig)IsTCPForwardingOnPort ¶added inv1.34.0

func (sc *ServeConfig) IsTCPForwardingOnPort(portuint16, svcNametailcfg.ServiceName)bool

IsTCPForwardingOnPort reports whether ServeConfig is currently forwardingin TCPForward mode on the given port for local or a service. svcName willeither be noService (empty string) for local serve or a serviceName for servicehosted on node. Notice TCPForwarding is exclusive with Web/HTTPS serving.

func (*ServeConfig)RemoveServiceWebHandler ¶added inv1.86.0

func (sc *ServeConfig) RemoveServiceWebHandler(svcNametailcfg.ServiceName, hostNamestring, portuint16, mounts []string)

RemoveServiceWebHandler deletes the web handlers at all of the given mount pointsfor the provided host and port in the serve config for the given service.

func (*ServeConfig)RemoveTCPForwarding ¶added inv1.62.0

func (sc *ServeConfig) RemoveTCPForwarding(svcNametailcfg.ServiceName, portuint16)

RemoveTCPForwarding deletes the TCP forwarding configuration for the givenport from the serve config.

func (*ServeConfig)RemoveWebHandler ¶added inv1.62.0

func (sc *ServeConfig) RemoveWebHandler(hoststring, portuint16, mounts []string, cleanupFunnelbool)

RemoveWebHandler deletes the web handlers at all of the given mount points for theprovided host and port in the serve config for the node (as opposed to a service).If cleanupFunnel is true, this also removes the funnel value for this port if no handlers remain.

func (*ServeConfig)SetFunnel ¶added inv1.62.0

func (sc *ServeConfig) SetFunnel(hoststring, portuint16, setOnbool)

SetFunnel sets the sc.AllowFunnel value for the given host and port.

func (*ServeConfig)SetTCPForwarding ¶added inv1.62.0

func (sc *ServeConfig) SetTCPForwarding(portuint16, fwdAddrstring, terminateTLSbool, proxyProtocolint, hoststring)

SetTCPForwarding sets the fwdAddr (IP:port form) to which to forwardconnections from the given port. If terminateTLS is true, TLS connectionsare terminated with only the given host name permitted before passing themto the fwdAddr.

If proxyProtocol is non-zero, the corresponding PROXY protocol versionheader is sent before forwarding the connection.

func (*ServeConfig)SetWebHandler ¶added inv1.62.0

func (sc *ServeConfig) SetWebHandler(handler *HTTPHandler, hoststring, portuint16, mountstring, useTLSbool, mdsstring)

SetWebHandler sets the given HTTPHandler at the specified host, port,and mount in the serve config. sc.TCP is also updated to reflect webserving usage of the given port. The st argument is needed when settinga web handler for a service, otherwise it can be nil. mds is the Magic DNSsuffix, which is used to recreate serve's host.

func (*ServeConfig)View ¶added inv1.34.0

func (p *ServeConfig) View()ServeConfigView

View returns a read-only view of ServeConfig.

func (*ServeConfig)WebHandlerExists ¶added inv1.34.0

func (sc *ServeConfig) WebHandlerExists(svcNametailcfg.ServiceName, hpHostPort, mountstring)bool

WebHandlerExists reports whether if the ServeConfig Web handler exists forthe given host:port and mount point.

typeServeConfigView ¶added inv1.34.0

type ServeConfigView struct {// contains filtered or unexported fields}

ServeConfigView provides a read-only view over ServeConfig.

Its methods should only be called if `Valid()` returns true.

func (ServeConfigView)AllowFunnel ¶added inv1.34.0

func (vServeConfigView) AllowFunnel()views.Map[HostPort,bool]

AllowFunnel is the set of SNI:port values for which funneltraffic is allowed, from trusted ingress peers.

func (ServeConfigView)AsStruct ¶added inv1.34.0

func (vServeConfigView) AsStruct() *ServeConfig

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (ServeConfigView)ETag ¶added inv1.50.0

func (vServeConfigView) ETag()string

ETag is the checksum of the serve config that's populatedby the LocalClient through the HTTP ETag header during aGetServeConfig request and is translated to an If-Match headerduring a SetServeConfig request.

func (ServeConfigView)FindForegroundTCP ¶added inv1.92.0

func (vServeConfigView) FindForegroundTCP(portuint16) (resTCPPortHandlerView, okbool)

FindForegroundTCP returns the first foreground TCP handler matching the inputport.

func (ServeConfigView)FindServiceTCP ¶added inv1.80.0

func (vServeConfigView) FindServiceTCP(svcNametailcfg.ServiceName, portuint16) (resTCPPortHandlerView, okbool)

FindServiceTCP return the TCPPortHandlerView for the given service name and port.

func (ServeConfigView)FindServiceWeb ¶added inv1.80.0

func (vServeConfigView) FindServiceWeb(svcNametailcfg.ServiceName, hpHostPort) (resWebServerConfigView, okbool)

FindServiceWeb returns the web handler for the service's host-port.

func (ServeConfigView)FindTCP ¶added inv1.50.0

func (vServeConfigView) FindTCP(portuint16) (resTCPPortHandlerView, okbool)

FindTCP returns the first TCP that matches with the given port. Itprefers a foreground match first followed by a background search if noneexisted.

func (ServeConfigView)FindWeb ¶added inv1.50.0

func (vServeConfigView) FindWeb(hpHostPort) (resWebServerConfigView, okbool)

FindWeb returns the first Web that matches with the given HostPort. Itprefers a foreground match first followed by a background search if noneexisted.

func (ServeConfigView)Foreground ¶added inv1.50.0

func (vServeConfigView) Foreground()views.MapFn[string, *ServeConfig,ServeConfigView]

Foreground is a map of an IPN Bus session ID to an alternate foreground serve config that's valid for thelife of that WatchIPNBus session ID. This allows the config to specify ephemeral configs that are usedin the CLI's foreground mode to ensure ungraceful shutdowns of either the client or the LocalBackend does notexpose ports that users are not aware of. In practice this contains any serve config set via 'tailscaleserve' command run without the '--bg' flag. ServeConfig contained by Foreground is not expected itself to containanother Foreground block.

func (ServeConfigView)HasAllowFunnel ¶added inv1.50.0

func (vServeConfigView) HasAllowFunnel()bool

HasAllowFunnel returns whether this config has at least one AllowFunnelset in the background or foreground configs.

func (ServeConfigView)HasFunnelForTarget ¶added inv1.50.0

func (vServeConfigView) HasFunnelForTarget(targetHostPort)bool

FindFunnel reports whether target exists in either the background AllowFunnelor any of the foreground configs.

func (ServeConfigView)IsFunnelOn ¶added inv1.38.4

func (vServeConfigView) IsFunnelOn()bool

IsFunnelOn reports whether if ServeConfig is currently allowing funneltraffic for any host:port.

View version of ServeConfig.IsFunnelOn.

func (ServeConfigView)MarshalJSON ¶added inv1.34.0

func (vServeConfigView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (ServeConfigView)MarshalJSONTo ¶added inv1.88.0

func (vServeConfigView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (ServeConfigView)Services ¶added inv1.78.0

func (vServeConfigView) Services()views.MapFn[tailcfg.ServiceName, *ServiceConfig,ServiceConfigView]

Services maps from service name (in the form "svc:dns-label") to a ServiceConfig.Which describes the L3, L4, and L7 forwarding information for the service.

func (ServeConfigView)TCP ¶added inv1.34.0

func (vServeConfigView) TCP()views.MapFn[uint16, *TCPPortHandler,TCPPortHandlerView]

TCP are the list of TCP port numbers that tailscaled should handle forthe Tailscale IP addresses. (not subnet routers, etc)

func (ServeConfigView)TCPs ¶added inv1.80.0

func (vServeConfigView) TCPs()iter.Seq2[uint16,TCPPortHandlerView]

TCPs returns an iterator over both background and foreground TCPlisteners.

The key is the port number.

func (*ServeConfigView)UnmarshalJSON ¶added inv1.34.0

func (v *ServeConfigView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*ServeConfigView)UnmarshalJSONFrom ¶added inv1.88.0

func (v *ServeConfigView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (ServeConfigView)Valid ¶added inv1.34.0

func (vServeConfigView) Valid()bool

Valid reports whether v's underlying value is non-nil.

func (ServeConfigView)Web ¶added inv1.34.0

func (vServeConfigView) Web()views.MapFn[HostPort, *WebServerConfig,WebServerConfigView]

Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlerskeyed by mount point ("/", "/foo", etc)

func (ServeConfigView)Webs ¶added inv1.80.0

func (vServeConfigView) Webs()iter.Seq2[HostPort,WebServerConfigView]

Webs returns an iterator over both background and foreground Web configurations.

typeServiceConfig ¶added inv1.78.0

type ServiceConfig struct {// TCP are the list of TCP port numbers that tailscaled should handle for// the Tailscale IP addresses. (not subnet routers, etc)TCP map[uint16]*TCPPortHandler `json:",omitempty"`// Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlers// keyed by mount point ("/", "/foo", etc)Web map[HostPort]*WebServerConfig `json:",omitempty"`// Tun determines if the service should be using L3 forwarding (Tun mode).Tunbool `json:",omitempty"`}

ServiceConfig contains the config information for a single service.it contains a bool to indicate if the service is in Tun mode (L3 forwarding).If the service is not in Tun mode, the service is configured by the L4 forwarding(TCP ports) and/or the L7 forwarding (http handlers) information.

func (*ServiceConfig)Clone ¶added inv1.78.0

func (src *ServiceConfig) Clone() *ServiceConfig

Clone makes a deep copy of ServiceConfig.The result aliases no memory with the original.

func (*ServiceConfig)View ¶added inv1.78.0

func (p *ServiceConfig) View()ServiceConfigView

View returns a read-only view of ServiceConfig.

typeServiceConfigView ¶added inv1.78.0

type ServiceConfigView struct {// contains filtered or unexported fields}

ServiceConfigView provides a read-only view over ServiceConfig.

Its methods should only be called if `Valid()` returns true.

func (ServiceConfigView)AsStruct ¶added inv1.78.0

func (vServiceConfigView) AsStruct() *ServiceConfig

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (ServiceConfigView)MarshalJSON ¶added inv1.78.0

func (vServiceConfigView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (ServiceConfigView)MarshalJSONTo ¶added inv1.88.0

func (vServiceConfigView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (ServiceConfigView)ServicePortRange ¶added inv1.80.0

func (vServiceConfigView) ServicePortRange() []tailcfg.ProtoPortRange

ServicePortRange returns the list of tailcfg.ProtoPortRange that representsthe proto/ports pairs that are being served by the service.

Right now Tun mode is the only thing supports UDP, otherwise serve only supports TCP.

func (ServiceConfigView)TCP ¶added inv1.78.0

func (vServiceConfigView) TCP()views.MapFn[uint16, *TCPPortHandler,TCPPortHandlerView]

TCP are the list of TCP port numbers that tailscaled should handle forthe Tailscale IP addresses. (not subnet routers, etc)

func (ServiceConfigView)Tun ¶added inv1.78.0

func (vServiceConfigView) Tun()bool

Tun determines if the service should be using L3 forwarding (Tun mode).

func (*ServiceConfigView)UnmarshalJSON ¶added inv1.78.0

func (v *ServiceConfigView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*ServiceConfigView)UnmarshalJSONFrom ¶added inv1.88.0

func (v *ServiceConfigView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (ServiceConfigView)Valid ¶added inv1.78.0

func (vServiceConfigView) Valid()bool

Valid reports whether v's underlying value is non-nil.

func (ServiceConfigView)Web ¶added inv1.78.0

func (vServiceConfigView) Web()views.MapFn[HostPort, *WebServerConfig,WebServerConfigView]

Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlerskeyed by mount point ("/", "/foo", etc)

typeState ¶

type Stateint

const (NoStateState = 0InUseOtherUserState = 1NeedsLoginState = 2NeedsMachineAuthState = 3StoppedState = 4StartingState = 5RunningState = 6)

func (State)String ¶

func (sState) String()string

typeStateKey ¶

type StateKeystring

StateKey is an opaque identifier for a set of LocalBackend state(preferences, private keys, etc.). It is also used as a key forthe various LoginProfiles that the instance may be signed into.

Additionally, the StateKey can be debug setting name:

"_debug_magicsock_until" with value being a unix timestamp stringified
"_debug_<component>_until" with value being a unix timestamp stringified

funcCurrentProfileKey ¶added inv1.34.0

func CurrentProfileKey(userIDstring)StateKey

CurrentProfileID returns the StateKey that stores thecurrent profile ID. The value is a JSON-encoded LoginProfile.If the userID is empty, the key returned is CurrentProfileStateKey,otherwise it is "_current/"+userID.

funcServeConfigKey ¶added inv1.34.0

func ServeConfigKey(profileIDProfileID)StateKey

ServeConfigKey returns a StateKey that stores theJSON-encoded ServeConfig for a config profile.

typeStateStore ¶

type StateStore interface {// ReadState returns the bytes associated with ID. Returns (nil,// ErrStateNotExist) if the ID doesn't have associated state.ReadState(idStateKey) ([]byte,error)// WriteState saves bs as the state associated with ID.//// Callers should generally use the ipn.WriteState wrapper func// instead, which only writes if the value is different from what's// already in the store.WriteState(idStateKey, bs []byte)error}

StateStore persists state, and produces it back on request.Implementations of StateStore are expected to be safe for concurrent use.

typeStateStoreDialerSetter ¶added inv1.40.0

type StateStoreDialerSetter interface {SetDialer(d func(ctxcontext.Context, network, addressstring) (net.Conn,error))}

StateStoreDialerSetter is an optional interface that StateStorescan implement to allow the caller to set a custom dialer.

typeTCPPortHandler ¶added inv1.34.0

type TCPPortHandler struct {// HTTPS, if true, means that tailscaled should handle this connection as an// HTTPS request as configured by ServeConfig.Web.//// It is mutually exclusive with TCPForward.HTTPSbool `json:",omitempty"`// HTTP, if true, means that tailscaled should handle this connection as an// HTTP request as configured by ServeConfig.Web.//// It is mutually exclusive with TCPForward.HTTPbool `json:",omitempty"`// TCPForward is the IP:port to forward TCP connections to.// Whether or not TLS is terminated by tailscaled depends on// TerminateTLS.//// It is mutually exclusive with HTTPS.TCPForwardstring `json:",omitempty"`// TerminateTLS, if non-empty, means that tailscaled should terminate the// TLS connections before forwarding them to TCPForward, permitting only the// SNI name with this value. It is only used if TCPForward is non-empty.// (the HTTPS mode uses ServeConfig.Web)TerminateTLSstring `json:",omitempty"`// ProxyProtocol indicates whether to send a PROXY protocol header// before forwarding the connection to TCPForward.//// This is only valid if TCPForward is non-empty.ProxyProtocolint `json:",omitzero"`}

TCPPortHandler describes what to do when handling a TCPconnection.

func (*TCPPortHandler)Clone ¶added inv1.34.0

func (src *TCPPortHandler) Clone() *TCPPortHandler

Clone makes a deep copy of TCPPortHandler.The result aliases no memory with the original.

func (*TCPPortHandler)View ¶added inv1.34.0

func (p *TCPPortHandler) View()TCPPortHandlerView

View returns a read-only view of TCPPortHandler.

typeTCPPortHandlerView ¶added inv1.34.0

type TCPPortHandlerView struct {// contains filtered or unexported fields}

TCPPortHandlerView provides a read-only view over TCPPortHandler.

Its methods should only be called if `Valid()` returns true.

func (TCPPortHandlerView)AsStruct ¶added inv1.34.0

func (vTCPPortHandlerView) AsStruct() *TCPPortHandler

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (TCPPortHandlerView)HTTP ¶added inv1.44.0

func (vTCPPortHandlerView) HTTP()bool

HTTP, if true, means that tailscaled should handle this connection as anHTTP request as configured by ServeConfig.Web.

It is mutually exclusive with TCPForward.

func (TCPPortHandlerView)HTTPS ¶added inv1.34.0

func (vTCPPortHandlerView) HTTPS()bool

HTTPS, if true, means that tailscaled should handle this connection as anHTTPS request as configured by ServeConfig.Web.

It is mutually exclusive with TCPForward.

func (TCPPortHandlerView)MarshalJSON ¶added inv1.34.0

func (vTCPPortHandlerView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (TCPPortHandlerView)MarshalJSONTo ¶added inv1.88.0

func (vTCPPortHandlerView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (TCPPortHandlerView)ProxyProtocol ¶added inv1.92.0

func (vTCPPortHandlerView) ProxyProtocol()int

ProxyProtocol indicates whether to send a PROXY protocol headerbefore forwarding the connection to TCPForward.

This is only valid if TCPForward is non-empty.

func (TCPPortHandlerView)TCPForward ¶added inv1.34.0

func (vTCPPortHandlerView) TCPForward()string

TCPForward is the IP:port to forward TCP connections to.Whether or not TLS is terminated by tailscaled depends onTerminateTLS.

It is mutually exclusive with HTTPS.

func (TCPPortHandlerView)TerminateTLS ¶added inv1.34.0

func (vTCPPortHandlerView) TerminateTLS()string

TerminateTLS, if non-empty, means that tailscaled should terminate theTLS connections before forwarding them to TCPForward, permitting only theSNI name with this value. It is only used if TCPForward is non-empty.(the HTTPS mode uses ServeConfig.Web)

func (*TCPPortHandlerView)UnmarshalJSON ¶added inv1.34.0

func (v *TCPPortHandlerView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*TCPPortHandlerView)UnmarshalJSONFrom ¶added inv1.88.0

func (v *TCPPortHandlerView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (TCPPortHandlerView)Valid ¶added inv1.34.0

func (vTCPPortHandlerView) Valid()bool

Valid reports whether v's underlying value is non-nil.

typeWebServerConfig ¶added inv1.34.0

type WebServerConfig struct {Handlers map[string]*HTTPHandler// mountPoint => handler}

WebServerConfig describes a web server's configuration.

func (*WebServerConfig)Clone ¶added inv1.34.0

func (src *WebServerConfig) Clone() *WebServerConfig

Clone makes a deep copy of WebServerConfig.The result aliases no memory with the original.

func (*WebServerConfig)View ¶added inv1.34.0

func (p *WebServerConfig) View()WebServerConfigView

View returns a read-only view of WebServerConfig.

typeWebServerConfigView ¶added inv1.34.0

type WebServerConfigView struct {// contains filtered or unexported fields}

WebServerConfigView provides a read-only view over WebServerConfig.

Its methods should only be called if `Valid()` returns true.

func (WebServerConfigView)AsStruct ¶added inv1.34.0

func (vWebServerConfigView) AsStruct() *WebServerConfig

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (WebServerConfigView)Handlers ¶added inv1.34.0

func (vWebServerConfigView) Handlers()views.MapFn[string, *HTTPHandler,HTTPHandlerView]

mountPoint => handler

func (WebServerConfigView)MarshalJSON ¶added inv1.34.0

func (vWebServerConfigView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (WebServerConfigView)MarshalJSONTo ¶added inv1.88.0

func (vWebServerConfigView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (*WebServerConfigView)UnmarshalJSON ¶added inv1.34.0

func (v *WebServerConfigView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*WebServerConfigView)UnmarshalJSONFrom ¶added inv1.88.0

func (v *WebServerConfigView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (WebServerConfigView)Valid ¶added inv1.34.0

func (vWebServerConfigView) Valid()bool

Valid reports whether v's underlying value is non-nil.

typeWindowsUserID ¶added inv1.34.0

type WindowsUserIDstring

WindowsUserID is a userid (suitable for passing to ipnauth.LookupUserFromIDor os/user.LookupId) but only set on Windows. It's empty on all otherplatforms, unless envknob.GOOS is in used, making Linux act like Windows fortests.

Source Files¶

View all Source files

Directories¶

?	: This menu
/	: Search site
f orF	: Jump to
y orY	: Canonical URL

Path	Synopsis
auditlog Package auditlog provides a mechanism for logging audit events.	Package auditlog provides a mechanism for logging audit events.
conffile Package conffile contains code to load, manipulate, and access config file settings.	Package conffile contains code to load, manipulate, and access config file settings.
desktop Package desktop facilitates interaction with the desktop environment and user sessions.	Package desktop facilitates interaction with the desktop environment and user sessions.
ipnauth Package ipnauth controls access to the LocalAPI.	Package ipnauth controls access to the LocalAPI.
ipnext Package ipnext defines types and interfaces used for extending the core LocalBackend functionality with additional features and services.	Package ipnext defines types and interfaces used for extending the core LocalBackend functionality with additional features and services.
ipnlocal Package ipnlocal is the heart of the Tailscale node agent that controls all the other misc pieces of the Tailscale node.	Package ipnlocal is the heart of the Tailscale node agent that controls all the other misc pieces of the Tailscale node.
ipnserver Package ipnserver runs the LocalAPI HTTP server that communicates with the LocalBackend.	Package ipnserver runs the LocalAPI HTTP server that communicates with the LocalBackend.
ipnstate Package ipnstate captures the entire state of the Tailscale network.	Package ipnstate captures the entire state of the Tailscale network.
lapitest Package lapitest provides utilities for black-box testing of LocalAPI (ipnserver).	Package lapitest provides utilities for black-box testing of LocalAPI (ipnserver).
localapi Package localapi contains the HTTP server handlers for tailscaled's API server.	Package localapi contains the HTTP server handlers for tailscaled's API server.
policy Package policy contains various policy decisions that need to be shared between the node client & control server.	Package policy contains various policy decisions that need to be shared between the node client & control server.
store Package store provides various implementation of ipn.StateStore.	Package store provides various implementation of ipn.StateStore.
awsstore Package awsstore contains an ipn.StateStore implementation using AWS SSM.	Package awsstore contains an ipn.StateStore implementation using AWS SSM.
kubestore Package kubestore contains an ipn.StateStore implementation using Kubernetes Secrets.	Package kubestore contains an ipn.StateStore implementation using Kubernetes Secrets.
mem Package mem provides an in-memory ipn.StateStore implementation.	Package mem provides an in-memory ipn.StateStore implementation.

Movatterモバイル変換

Details

Repository

Links

Documentation¶

Overview¶

Index¶

Constants¶

Variables¶

Functions¶

funcCheckFunnelAccess¶added inv1.38.0

funcCheckFunnelPort¶added inv1.48.0

funcExpandProxyTargetValue¶added inv1.62.0

funcIsLoginServerSynonym¶added inv1.12.0

funcNodeCanFunnel¶added inv1.62.0

funcPrefsFromBytes¶

funcPutStoreInt¶added inv1.32.0

funcReadStoreInt¶added inv1.32.0

funcSavePrefs¶

funcWriteState¶added inv1.48.0

Types¶

typeAppConnectorPrefs¶added inv1.54.0

func (AppConnectorPrefs)Pretty¶added inv1.54.0

typeAutoUpdatePrefs¶added inv1.50.0

func (AutoUpdatePrefs)Equals¶added inv1.58.0

func (AutoUpdatePrefs)Pretty¶added inv1.50.0

typeAutoUpdatePrefsMask¶added inv1.56.0

func (AutoUpdatePrefsMask)Pretty¶added inv1.56.0

typeConfigVAlpha¶added inv1.52.0

func (*ConfigVAlpha)ToPrefs¶added inv1.52.0

typeEncryptedStateStore¶added inv1.86.0

typeEngineStatus¶

typeExitNodeExpression¶added inv1.86.0

funcParseAutoExitNodeString¶added inv1.86.0

func (ExitNodeExpression)IsSet¶added inv1.86.0

typeExitNodeLocalIPError¶added inv1.24.0

func (ExitNodeLocalIPError)Error¶added inv1.24.0

typeFunnelConn¶added inv1.38.0

typeHTTPHandler¶added inv1.34.0

func (*HTTPHandler)Clone¶added inv1.34.0

func (*HTTPHandler)View¶added inv1.34.0

typeHTTPHandlerView¶added inv1.34.0

func (HTTPHandlerView)AcceptAppCaps¶added inv1.92.0

func (HTTPHandlerView)AsStruct¶added inv1.34.0

func (HTTPHandlerView)MarshalJSON¶added inv1.34.0

func (HTTPHandlerView)MarshalJSONTo¶added inv1.88.0

func (HTTPHandlerView)Path¶added inv1.34.0

func (HTTPHandlerView)Proxy¶added inv1.34.0

func (HTTPHandlerView)Redirect¶added inv1.92.0

func (HTTPHandlerView)Text¶added inv1.34.0

func (*HTTPHandlerView)UnmarshalJSON¶added inv1.34.0

func (*HTTPHandlerView)UnmarshalJSONFrom¶added inv1.88.0

func (HTTPHandlerView)Valid¶added inv1.34.0

typeHostPort¶added inv1.34.0

func (HostPort)Port¶added inv1.50.0

typeLoginProfile¶added inv1.34.0

func (*LoginProfile)Clone¶added inv1.82.0

func (*LoginProfile)Equals¶added inv1.84.0

func (*LoginProfile)View¶added inv1.82.0

typeLoginProfileView¶added inv1.82.0

func (LoginProfileView)AsStruct¶added inv1.82.0

func (LoginProfileView)ControlURL¶added inv1.82.0

func (LoginProfileView)Equals¶added inv1.84.0

func (LoginProfileView)ID¶added inv1.82.0

func (LoginProfileView)Key¶added inv1.82.0

func (LoginProfileView)LocalUserID¶added inv1.82.0

func (LoginProfileView)MarshalJSON¶added inv1.82.0

func (LoginProfileView)MarshalJSONTo¶added inv1.88.0

func (LoginProfileView)Name¶added inv1.82.0

func (LoginProfileView)NetworkProfile¶added inv1.82.0

func (LoginProfileView)NodeID¶added inv1.82.0

func (*LoginProfileView)UnmarshalJSON¶added inv1.82.0

func (*LoginProfileView)UnmarshalJSONFrom¶added inv1.88.0

func (LoginProfileView)UserProfile¶added inv1.82.0

func (LoginProfileView)Valid¶added inv1.82.0

typeMaskedPrefs¶added inv1.8.0

func (*MaskedPrefs)IsEmpty¶added inv1.34.0

func (*MaskedPrefs)Pretty¶added inv1.8.0

func (*MaskedPrefs)SetsInternal¶added inv1.64.0

typeNetworkProfile¶added inv1.56.0

Documentation ¶

funcCheckFunnelAccess ¶added inv1.38.0

funcCheckFunnelPort ¶added inv1.48.0

funcExpandProxyTargetValue ¶added inv1.62.0

funcIsLoginServerSynonym ¶added inv1.12.0

funcNodeCanFunnel ¶added inv1.62.0

funcPrefsFromBytes ¶

funcPutStoreInt ¶added inv1.32.0

funcReadStoreInt ¶added inv1.32.0

funcSavePrefs ¶

funcWriteState ¶added inv1.48.0

typeAppConnectorPrefs ¶added inv1.54.0

func (AppConnectorPrefs)Pretty ¶added inv1.54.0

typeAutoUpdatePrefs ¶added inv1.50.0

func (AutoUpdatePrefs)Equals ¶added inv1.58.0

func (AutoUpdatePrefs)Pretty ¶added inv1.50.0

typeAutoUpdatePrefsMask ¶added inv1.56.0

func (AutoUpdatePrefsMask)Pretty ¶added inv1.56.0

typeConfigVAlpha ¶added inv1.52.0

func (*ConfigVAlpha)ToPrefs ¶added inv1.52.0

typeEncryptedStateStore ¶added inv1.86.0

typeEngineStatus ¶

typeExitNodeExpression ¶added inv1.86.0

funcParseAutoExitNodeString ¶added inv1.86.0

func (ExitNodeExpression)IsSet ¶added inv1.86.0

typeExitNodeLocalIPError ¶added inv1.24.0

func (ExitNodeLocalIPError)Error ¶added inv1.24.0

typeFunnelConn ¶added inv1.38.0

typeHTTPHandler ¶added inv1.34.0

func (*HTTPHandler)Clone ¶added inv1.34.0

func (*HTTPHandler)View ¶added inv1.34.0

typeHTTPHandlerView ¶added inv1.34.0

func (HTTPHandlerView)AcceptAppCaps ¶added inv1.92.0

func (HTTPHandlerView)AsStruct ¶added inv1.34.0

func (HTTPHandlerView)MarshalJSON ¶added inv1.34.0

func (HTTPHandlerView)MarshalJSONTo ¶added inv1.88.0

func (HTTPHandlerView)Path ¶added inv1.34.0

func (HTTPHandlerView)Proxy ¶added inv1.34.0

func (HTTPHandlerView)Redirect ¶added inv1.92.0

func (HTTPHandlerView)Text ¶added inv1.34.0

func (*HTTPHandlerView)UnmarshalJSON ¶added inv1.34.0

func (*HTTPHandlerView)UnmarshalJSONFrom ¶added inv1.88.0

func (HTTPHandlerView)Valid ¶added inv1.34.0

typeHostPort ¶added inv1.34.0

func (HostPort)Port ¶added inv1.50.0

typeLoginProfile ¶added inv1.34.0

func (*LoginProfile)Clone ¶added inv1.82.0

func (*LoginProfile)Equals ¶added inv1.84.0

func (*LoginProfile)View ¶added inv1.82.0

typeLoginProfileView ¶added inv1.82.0

func (LoginProfileView)AsStruct ¶added inv1.82.0

func (LoginProfileView)ControlURL ¶added inv1.82.0

func (LoginProfileView)Equals ¶added inv1.84.0

func (LoginProfileView)ID ¶added inv1.82.0

func (LoginProfileView)Key ¶added inv1.82.0

func (LoginProfileView)LocalUserID ¶added inv1.82.0

func (LoginProfileView)MarshalJSON ¶added inv1.82.0

func (LoginProfileView)MarshalJSONTo ¶added inv1.88.0

func (LoginProfileView)Name ¶added inv1.82.0

func (LoginProfileView)NetworkProfile ¶added inv1.82.0

func (LoginProfileView)NodeID ¶added inv1.82.0

func (*LoginProfileView)UnmarshalJSON ¶added inv1.82.0

func (*LoginProfileView)UnmarshalJSONFrom ¶added inv1.88.0

func (LoginProfileView)UserProfile ¶added inv1.82.0

func (LoginProfileView)Valid ¶added inv1.82.0

typeMaskedPrefs ¶added inv1.8.0

func (*MaskedPrefs)IsEmpty ¶added inv1.34.0

func (*MaskedPrefs)Pretty ¶added inv1.8.0

func (*MaskedPrefs)SetsInternal ¶added inv1.64.0

typeNetworkProfile ¶added inv1.56.0

func (NetworkProfile)DisplayNameOrDefault ¶added inv1.88.0

func (NetworkProfile)RequiresBackfill ¶added inv1.56.0

typeNotify ¶

func (Notify)String ¶added inv1.8.0

typeNotifyWatchOpt ¶added inv1.34.0

typeOptions ¶

typeOutgoingFile ¶added inv1.64.0

typePartialFile ¶added inv1.8.0

typePrefs ¶

funcLoadPrefsWindows ¶added inv1.66.0