func CheckTag(tagstring)error

func Clone(dst, srcany)bool

func IsKnownServiceProto(spServiceProto)bool

func UnmarshalCapJSON[Tany](cmPeerCapMap, capPeerCapability) ([]T,error)

func UnmarshalCapViewJSON[Tany](cmviews.MapSlice[PeerCapability,RawMessage], capPeerCapability) ([]T,error)

func UnmarshalNodeCapJSON[Tany](cmNodeCapMap, capNodeCapability) ([]T,error)

func UnmarshalNodeCapViewJSON[Tany](cmviews.MapSlice[NodeCapability,RawMessage], capNodeCapability) ([]T,error)

type AttrUpdate map[string]any

type AuditLogRequest struct {// Version is the client's current CapabilityVersion.VersionCapabilityVersion `json:",omitzero"`// NodeKey is the client's current node key.NodeKeykey.NodePublic `json:",omitzero"`// Action is the action to be logged. It must correspond to a known action in the control plane.ActionClientAuditAction `json:",omitzero"`// Details is an opaque string, specific to the action being logged.  Empty strings may not// be valid depending on the action being logged.Detailsstring `json:",omitzero"`// Timestamp is the time at which the audit log was generated on the node.Timestamptime.Time `json:",omitzero"`}

type C2NAppConnectorDomainRoutesResponse struct {// Domains is a map of lower case domain names with no trailing dot,// to a list of resolved IP addresses.Domains map[string][]netip.Addr}

type C2NDebugNetmapRequest struct {// Candidate is an optional full MapResponse to be used for generating a candidate// network map. If unset, only the current network map is returned.Candidate *MapResponse `json:"candidate,omitzero"`// OmitFields is an optional list of netmap fields to omit from the response.// If unset, no fields are omitted.OmitFields []string `json:"omitFields,omitzero"`}

type C2NDebugNetmapResponse struct {// Current is the current network map (netmap.NetworkMap).Currentjson.RawMessage `json:"current"`// Candidate is a network map produced based on the candidate MapResponse.Candidatejson.RawMessage `json:"candidate,omitzero"`}

type C2NPostureIdentityResponse struct {// SerialNumbers is a list of serial numbers of the client machine.SerialNumbers []string `json:",omitempty"`// IfaceHardwareAddrs is a list of hardware addresses (MAC addresses)// of the client machine's network interfaces.IfaceHardwareAddrs []string `json:",omitempty"`// PostureDisabled indicates if the machine has opted out of// device posture collection.PostureDisabledbool `json:",omitempty"`}

type C2NSSHUsernamesRequest struct {// Exclude optionally specifies usernames to exclude// from the response.Exclude map[string]bool `json:",omitempty"`// Max is the maximum number of usernames to return.// If zero, a default limit is used.Maxint `json:",omitempty"`}

type C2NSSHUsernamesResponse struct {// Usernames is the list of usernames to suggest. If the machine has many// users, this list may be truncated. If getting the list of usernames might// be too slow or unavailable, this list might be empty. This is effectively// just a best effort set of hints.Usernames []string}

type C2NTLSCertInfo struct {// Valid means that the node has a cached and valid (not expired)// certificate.Validbool `json:",omitempty"`// Error is the error string if the certificate is not valid. If error is// non-empty, the other booleans below might say why.Errorstring `json:",omitempty"`// Missing is whether the error string indicates a missing certificate// that's never been fetched or isn't on disk.Missingbool `json:",omitempty"`// Expired is whether the error string indicates an expired certificate.Expiredbool `json:",omitempty"`NotBeforestring `json:",omitempty"`// RFC3339, if ValidNotAfterstring `json:",omitempty"`// RFC3339, if Valid}

type C2NUpdateResponse struct {// Err is the error message, if any.Errstring `json:",omitempty"`// Enabled indicates whether the user has opted in to updates triggered from// control.Enabledbool// Supported indicates whether remote updates are supported on this// OS/platform.Supportedbool// Started indicates whether the update has started.Startedbool}

type C2NVIPServicesResponse struct {// VIPServices is the list of VIP services that the node is currently serving.VIPServices []*VIPService `json:",omitempty"`// ServicesHash is the hash of VIPServices to allow the control server to detect// changes. This value matches what is reported in latest [Hostinfo.ServicesHash].ServicesHashstring}

type CapGrant struct {// Dsts are the destination IP ranges that this capability// grant matches.Dsts []netip.Prefix// Caps are the capabilities the source IP matched by// FilterRule.SrcIPs are granted to the destination IP,// matched by Dsts.// Deprecated: use CapMap instead.Caps []PeerCapability `json:",omitempty"`// CapMap is a map of capabilities to their values.// The key is the capability name, and the value is a list of// values for that capability.CapMapPeerCapMap `json:",omitempty"`}

type CapabilityVersionint

const CurrentCapabilityVersionCapabilityVersion = 131

CurrentCapabilityVersion is the current capability version of the codebase.

History of versions:

• 3: implicit compression, keep-alives
• 4: opt-in keep-alives via KeepAlive field, opt-in compression via Compress
• 5: 2020-10-19, implies IncludeIPv6, delta Peers/UserProfiles, supports MagicDNS
• 6: 2020-12-07: means MapResponse.PacketFilter nil means unchanged
• 7: 2020-12-15: FilterRule.SrcIPs accepts CIDRs+ranges, doesn't warn about 0.0.0.0/::
• 8: 2020-12-19: client can buggily receive IPv6 addresses and routes if beta enabled server-side
• 9: 2020-12-30: client doesn't auto-add implicit search domains from peers; only DNSConfig.Domains
• 10: 2021-01-17: client understands MapResponse.PeerSeenChange
• 11: 2021-03-03: client understands IPv6, multiple default routes, and goroutine dumping
• 12: 2021-03-04: client understands PingRequest
• 13: 2021-03-19: client understands FilterRule.IPProto
• 14: 2021-04-07: client understands DNSConfig.Routes and DNSConfig.Resolvers
• 15: 2021-04-12: client treats nil MapResponse.DNSConfig as meaning unchanged
• 16: 2021-04-15: client understands Node.Online, MapResponse.OnlineChange
• 17: 2021-04-18: MapResponse.Domain empty means unchanged
• 18: 2021-04-19: MapResponse.Node nil means unchanged (all fields now omitempty)
• 19: 2021-04-21: MapResponse.Debug.SleepSeconds
• 20: 2021-06-11: MapResponse.LastSeen used even less (https://github.com/tailscale/tailscale/issues/2107)
• 21: 2021-06-15: added MapResponse.DNSConfig.CertDomains
• 22: 2021-06-16: added MapResponse.DNSConfig.ExtraRecords
• 23: 2021-08-25: DNSConfig.Routes values may be empty (for ExtraRecords support in 1.14.1+)
• 24: 2021-09-18: MapResponse.Health from control to node; node shows in "tailscale status"
• 25: 2021-11-01: MapResponse.Debug.Exit
• 26: 2022-01-12: (nothing, just bumping for 1.20.0)
• 27: 2022-02-18: start of SSHPolicy being respected
• 28: 2022-03-09: client can communicate over Noise.
• 29: 2022-03-21: MapResponse.PopBrowserURL
• 30: 2022-03-22: client can request id tokens.
• 31: 2022-04-15: PingRequest & PingResponse TSMP & disco support
• 32: 2022-04-17: client knows FilterRule.CapMatch
• 33: 2022-07-20: added MapResponse.PeersChangedPatch (DERPRegion + Endpoints)
• 34: 2022-08-02: client understands CapabilityFileSharingTarget
• 36: 2022-08-02: added PeersChangedPatch.{Key,DiscoKey,Online,LastSeen,KeyExpiry,Capabilities}
• 37: 2022-08-09: added Debug.{SetForceBackgroundSTUN,SetRandomizeClientPort}; Debug are sticky
• 38: 2022-08-11: added PingRequest.URLIsNoise
• 39: 2022-08-15: clients can talk Noise over arbitrary HTTPS port
• 40: 2022-08-22: added Node.KeySignature, PeersChangedPatch.KeySignature
• 41: 2022-08-30: uses 100.100.100.100 for route-less ExtraRecords if global nameservers is set
• 42: 2022-09-06: NextDNS DoH support; seehttps://github.com/tailscale/tailscale/pull/5556
• 43: 2022-09-21: clients can return usernames for SSH
• 44: 2022-09-22: MapResponse.ControlDialPlan
• 45: 2022-09-26: c2n /debug/{goroutines,prefs,metrics}
• 46: 2022-10-04: c2n /debug/component-logging
• 47: 2022-10-11: Register{Request,Response}.NodeKeySignature
• 48: 2022-11-02: Node.UnsignedPeerAPIOnly
• 49: 2022-11-03: Client understands EarlyNoise
• 50: 2022-11-14: Client understands CapabilityIngress
• 51: 2022-11-30: Client understands CapabilityTailnetLockAlpha
• 52: 2023-01-05: client can handle c2n POST /logtail/flush
• 53: 2023-01-18: client respects explicit Node.Expired + auto-sets based on Node.KeyExpiry
• 54: 2023-01-19: Node.Cap added, PeersChangedPatch.Cap, uses Node.Cap for ExitDNS before Hostinfo.Services fallback
• 55: 2023-01-23: start of c2n GET+POST /update handler
• 56: 2023-01-24: Client understands CapabilityDebugTSDNSResolution
• 57: 2023-01-25: Client understands CapabilityBindToInterfaceByRoute
• 58: 2023-03-10: Client retries lite map updates before restarting map poll.
• 59: 2023-03-16: Client understands Peers[].SelfNodeV4MasqAddrForThisPeer
• 60: 2023-04-06: Client understands IsWireGuardOnly
• 61: 2023-04-18: Client understand SSHAction.SSHRecorderFailureAction
• 62: 2023-05-05: Client can notify control over noise for SSHEventNotificationRequest recording failure events
• 63: 2023-06-08: Client understands SSHAction.AllowRemotePortForwarding.
• 64: 2023-07-11: Client understands s/CapabilityTailnetLockAlpha/CapabilityTailnetLock
• 65: 2023-07-12: Client understands DERPMap.HomeParams + incremental DERPMap updates with params
• 66: 2023-07-23: UserProfile.Groups added (available via WhoIs) (removed in 87)
• 67: 2023-07-25: Client understands PeerCapMap
• 68: 2023-08-09: Client has dedicated updateRoutine; MapRequest.Stream true means ignore Hostinfo+Endpoints
• 69: 2023-08-16: removed Debug.LogHeap* + GoroutineDumpURL; added c2n /debug/logheap
• 70: 2023-08-16: removed most Debug fields; added NodeAttrDisable*, NodeAttrDebug* instead
• 71: 2023-08-17: added NodeAttrOneCGNATEnable, NodeAttrOneCGNATDisable
• 72: 2023-08-23: TS-2023-006 UPnP issue fixed; UPnP can now be used again
• 73: 2023-09-01: Non-Windows clients expect to receive ClientVersion
• 74: 2023-09-18: Client understands NodeCapMap
• 75: 2023-09-12: Client understands NodeAttrDNSForwarderDisableTCPRetries
• 76: 2023-09-20: Client understands ExitNodeDNSResolvers for IsWireGuardOnly nodes
• 77: 2023-10-03: Client understands Peers[].SelfNodeV6MasqAddrForThisPeer
• 78: 2023-10-05: can handle c2n Wake-on-LAN sending
• 79: 2023-10-05: Client understands UrgentSecurityUpdate in ClientVersion
• 80: 2023-11-16: can handle c2n GET /tls-cert-status
• 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
• 82: 2023-12-01: Client understands NodeAttrLinuxMustUseIPTables, NodeAttrLinuxMustUseNfTables, c2n /netfilter-kind
• 83: 2023-12-18: Client understands DefaultAutoUpdate
• 84: 2024-01-04: Client understands SeamlessKeyRenewal
• 85: 2024-01-05: Client understands MaxKeyDuration
• 86: 2024-01-23: Client understands NodeAttrProbeUDPLifetime
• 87: 2024-02-11: UserProfile.Groups removed (added in 66)
• 88: 2024-03-05: Client understands NodeAttrSuggestExitNode
• 89: 2024-03-23: Client no longer respects deleted PeerChange.Capabilities (use CapMap)
• 90: 2024-04-03: Client understands PeerCapabilityTaildrive.
• 91: 2024-04-24: Client understands PeerCapabilityTaildriveSharer.
• 92: 2024-05-06: Client understands NodeAttrUserDialUseRoutes.
• 93: 2024-05-06: added support for stateful firewalling.
• 94: 2024-05-06: Client understands Node.IsJailed.
• 95: 2024-05-06: Client uses NodeAttrUserDialUseRoutes to change DNS dialing behavior.
• 96: 2024-05-29: Client understands NodeAttrSSHBehaviorV1
• 97: 2024-06-06: Client understands NodeAttrDisableSplitDNSWhenNoCustomResolvers
• 98: 2024-06-13: iOS/tvOS clients may provide serial number as part of posture information
• 99: 2024-06-14: Client understands NodeAttrDisableLocalDNSOverrideViaNRPT
• 100: 2024-06-18: Initial support for filtertype.Match.SrcCaps - actually usable in capver 109 (issue #12542)
• 101: 2024-07-01: Client supports SSH agent forwarding when handling connections with /bin/su
• 102: 2024-07-12: NodeAttrDisableMagicSockCryptoRouting support
• 103: 2024-07-24: Client supports NodeAttrDisableCaptivePortalDetection
• 104: 2024-08-03: SelfNodeV6MasqAddrForThisPeer now works
• 105: 2024-08-05: Fixed SSH behavior on systems that use busybox (issue #12849)
• 106: 2024-09-03: fix panic regression from cryptokey routing change (65fe0ba7b5)
• 107: 2024-10-30: add App Connector to conffile (PR #13942)
• 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services.
• 109: 2024-11-18: Client supports filtertype.Match.SrcCaps (issue #12542)
• 110: 2024-12-12: removed never-before-used Tailscale SSH public key support (#14373)
• 111: 2025-01-14: Client supports a peer having Node.HomeDERP (issue #14636)
• 112: 2025-01-14: Client interprets AllowedIPs of nil as meaning same as Addresses
• 113: 2025-01-20: Client communicates to control whether funnel is enabled by sending Hostinfo.IngressEnabled (#14688)
• 114: 2025-01-30: NodeAttrMaxKeyDuration CapMap defined, clients might use it (no tailscaled code change) (#14829)
• 115: 2025-03-07: Client understands DERPRegion.NoMeasureNoHome.
• 116: 2025-05-05: Client serves MagicDNS "AAAA" if NodeAttrMagicDNSPeerAAAA set on self node
• 117: 2025-05-28: Client understands DisplayMessages (structured health messages), but not necessarily PrimaryAction.
• 118: 2025-07-01: Client sends Hostinfo.StateEncrypted to report whether the state file is encrypted at rest (#15830)
• 119: 2025-07-10: Client uses Hostinfo.Location.Priority to prioritize one route over another.
• 120: 2025-07-15: Client understands peer relay disco messages, and implements peer client and relay server functions
• 121: 2025-07-19: Client understands peer relay endpoint alloc with [disco.AllocateUDPRelayEndpointRequest] & [disco.AllocateUDPRelayEndpointResponse]
• 122: 2025-07-21: Client sends Hostinfo.ExitNodeID to report which exit node it has selected, if any.
• 123: 2025-07-28: fix deadlock regression from cryptokey routing change (issue #16651)
• 124: 2025-08-08: removed NodeAttrDisableMagicSockCryptoRouting support, crypto routing is now mandatory
• 125: 2025-08-11: dnstype.Resolver adds UseWithExitNode field.
• 126: 2025-09-17: Client uses seamless key renewal unless disabled by control (tailscale/corp#31479)
• 127: 2025-09-19: can handle C2N /debug/netmap.
• 128: 2025-10-02: can handle C2N /debug/health.
• 129: 2025-10-04: Fixed sleep/wake deadlock in magicsock when using peer relay (PR #17449)
• 130: 2025-10-06: client can send key.HardwareAttestationPublic and key.HardwareAttestationKeySignature in MapRequest
• 131: 2025-11-25: client respectsNodeAttrDefaultAutoUpdate

type ClientAuditActionstring

type ClientVersion struct {// RunningLatest is true if the client is running the latest build.RunningLatestbool `json:",omitempty"`// LatestVersion is the latest version.Short ("1.34.2") version available// for download for the client's platform and packaging type.// It won't be populated if RunningLatest is true.LatestVersionstring `json:",omitempty"`// UrgentSecurityUpdate is set when the client is missing an important// security update. That update may be in LatestVersion or earlier.// UrgentSecurityUpdate should not be set if RunningLatest is false.UrgentSecurityUpdatebool `json:",omitempty"`// Notify is whether the client should do an OS-specific notification about// a new version being available. This should not be populated if// RunningLatest is true. The client should not notify multiple times for// the same LatestVersion value.Notifybool `json:",omitempty"`// NotifyURL is a URL to open in the browser when the user clicks on the// notification, when Notify is true.NotifyURLstring `json:",omitempty"`// NotifyText is the text to show in the notification, when Notify is true.NotifyTextstring `json:",omitempty"`}

type ControlDialPlan struct {// An empty list means the default: use DNS (unspecified which DNS).Candidates []ControlIPCandidate}

func (*ControlDialPlan)Clone¶added inv1.32.0

func (src *ControlDialPlan) Clone() *ControlDialPlan

Clone makes a deep copy of ControlDialPlan.The result aliases no memory with the original.

func (*ControlDialPlan)View¶added inv1.32.0

func (p *ControlDialPlan) View()ControlDialPlanView

View returns a read-only view of ControlDialPlan.

type ControlDialPlanView struct {// contains filtered or unexported fields}

func (ControlDialPlanView)AsStruct¶added inv1.32.0

func (vControlDialPlanView) AsStruct() *ControlDialPlan

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (ControlDialPlanView)Candidates¶added inv1.32.0

func (vControlDialPlanView) Candidates()views.Slice[ControlIPCandidate]

An empty list means the default: use DNS (unspecified which DNS).

func (ControlDialPlanView)MarshalJSON¶added inv1.32.0

func (vControlDialPlanView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (ControlDialPlanView)MarshalJSONTo¶added inv1.88.0

func (vControlDialPlanView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (*ControlDialPlanView)UnmarshalJSON¶added inv1.32.0

func (v *ControlDialPlanView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*ControlDialPlanView)UnmarshalJSONFrom¶added inv1.88.0

func (v *ControlDialPlanView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (ControlDialPlanView)Valid¶added inv1.32.0

func (vControlDialPlanView) Valid()bool

Valid reports whether v's underlying value is non-nil.

type ControlIPCandidate struct {// IP is the address to attempt connecting to.IPnetip.Addr `json:",omitzero"`// ACEHost, if non-empty, means that the client should connect to the// control plane using an HTTPS CONNECT request to the provided hostname. If// the IP field is also set, then the IP is the IP address of the ACEHost// (and not the control plane) and DNS should not be used. The target (the// argument to CONNECT) is always the control plane's hostname, not an IP.ACEHoststring `json:",omitempty"`// DialStartSec is the number of seconds after the beginning of the// connection process to wait before trying this candidate.DialStartDelaySecfloat64 `json:",omitempty"`// DialTimeoutSec is the timeout for a connection to this candidate,// starting after DialStartDelaySec.DialTimeoutSecfloat64 `json:",omitempty"`// Priority is the relative priority of this candidate; candidates with// a higher priority are preferred over candidates with a lower// priority.Priorityint `json:",omitempty"`}

type DERPAdmitClientRequest struct {NodePublickey.NodePublic// key to query for admissionSourcenetip.Addr// derp client's IP address}

type DERPAdmitClientResponse struct {Allowbool// whether to permit client}

type DERPHomeParams struct {// RegionScore scales latencies of DERP regions by a given scaling// factor when determining which region to use as the home// ("preferred") DERP. Scores in the range (0, 1) will cause this// region to be proportionally more preferred, and scores in the range// (1, ∞) will penalize a region.//// If a region is not present in this map, it is treated as having a// score of 1.0.//// Scores should not be 0 or negative; such scores will be ignored.//// A nil map means no change from the previous value (if any); an empty// non-nil map can be sent to reset all scores back to 1.0.RegionScore map[int]float64 `json:",omitempty"`}

func (*DERPHomeParams)Clone¶added inv1.46.0

func (src *DERPHomeParams) Clone() *DERPHomeParams

Clone makes a deep copy of DERPHomeParams.The result aliases no memory with the original.

func (*DERPHomeParams)View¶added inv1.46.0

func (p *DERPHomeParams) View()DERPHomeParamsView

View returns a read-only view of DERPHomeParams.

type DERPHomeParamsView struct {// contains filtered or unexported fields}

func (DERPHomeParamsView)AsStruct¶added inv1.46.0

func (vDERPHomeParamsView) AsStruct() *DERPHomeParams

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (DERPHomeParamsView)MarshalJSON¶added inv1.46.0

func (vDERPHomeParamsView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (DERPHomeParamsView)MarshalJSONTo¶added inv1.88.0

func (vDERPHomeParamsView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (DERPHomeParamsView)RegionScore¶added inv1.46.0

func (vDERPHomeParamsView) RegionScore()views.Map[int,float64]

RegionScore scales latencies of DERP regions by a given scalingfactor when determining which region to use as the home("preferred") DERP. Scores in the range (0, 1) will cause thisregion to be proportionally more preferred, and scores in the range(1, ∞) will penalize a region.

If a region is not present in this map, it is treated as having ascore of 1.0.

Scores should not be 0 or negative; such scores will be ignored.

A nil map means no change from the previous value (if any); an emptynon-nil map can be sent to reset all scores back to 1.0.

func (*DERPHomeParamsView)UnmarshalJSON¶added inv1.46.0

func (v *DERPHomeParamsView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*DERPHomeParamsView)UnmarshalJSONFrom¶added inv1.88.0

func (v *DERPHomeParamsView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (DERPHomeParamsView)Valid¶added inv1.46.0

func (vDERPHomeParamsView) Valid()bool

Valid reports whether v's underlying value is non-nil.

type DERPMap struct {// HomeParams, if non-nil, is a change in home parameters.//// The rest of the DEPRMap fields, if zero, means unchanged.HomeParams *DERPHomeParams `json:",omitempty"`// Regions is the set of geographic regions running DERP node(s).//// It's keyed by the DERPRegion.RegionID.//// The numbers are not necessarily contiguous.Regions map[int]*DERPRegion// OmitDefaultRegions specifies to not use Tailscale's DERP servers, and only use those// specified in this DERPMap. If there are none set outside of the defaults, this is a noop.//// This field is only meaningful if the Regions map is non-nil (indicating a change).OmitDefaultRegionsbool `json:"omitDefaultRegions,omitempty"`}

func (*DERPMap)Clone¶added inv1.10.0

func (src *DERPMap) Clone() *DERPMap

Clone makes a deep copy of DERPMap.The result aliases no memory with the original.

func (*DERPMap)RegionIDs¶added inv0.98.1

func (m *DERPMap) RegionIDs() []int

/ RegionIDs returns the sorted region IDs.

func (*DERPMap)View¶added inv1.26.0

func (p *DERPMap) View()DERPMapView

View returns a read-only view of DERPMap.

type DERPMapView struct {// contains filtered or unexported fields}

func (DERPMapView)AsStruct¶added inv1.26.0

func (vDERPMapView) AsStruct() *DERPMap

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (DERPMapView)HomeParams¶added inv1.46.0

func (vDERPMapView) HomeParams()DERPHomeParamsView

HomeParams, if non-nil, is a change in home parameters.

The rest of the DEPRMap fields, if zero, means unchanged.

func (DERPMapView)MarshalJSON¶added inv1.26.0

func (vDERPMapView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (DERPMapView)MarshalJSONTo¶added inv1.88.0

func (vDERPMapView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (DERPMapView)OmitDefaultRegions¶added inv1.26.0

func (vDERPMapView) OmitDefaultRegions()bool

OmitDefaultRegions specifies to not use Tailscale's DERP servers, and only use thosespecified in this DERPMap. If there are none set outside of the defaults, this is a noop.

This field is only meaningful if the Regions map is non-nil (indicating a change).

func (DERPMapView)Regions¶added inv1.26.0

func (vDERPMapView) Regions()views.MapFn[int, *DERPRegion,DERPRegionView]

Regions is the set of geographic regions running DERP node(s).

It's keyed by the DERPRegion.RegionID.

The numbers are not necessarily contiguous.

func (*DERPMapView)UnmarshalJSON¶added inv1.26.0

func (v *DERPMapView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*DERPMapView)UnmarshalJSONFrom¶added inv1.88.0

func (v *DERPMapView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (DERPMapView)Valid¶added inv1.26.0

func (vDERPMapView) Valid()bool

Valid reports whether v's underlying value is non-nil.

type DERPNode struct {// Name is a unique node name (across all regions).// It is not a host name.// It's typically of the form "1b", "2a", "3b", etc. (region// ID + suffix within that region)Namestring// RegionID is the RegionID of the DERPRegion that this node// is running in.RegionIDint// HostName is the DERP node's hostname.//// It is required but need not be unique; multiple nodes may// have the same HostName but vary in configuration otherwise.HostNamestring// CertName optionally specifies the expected TLS cert common// name. If empty, HostName is used. If CertName is non-empty,// HostName is only used for the TCP dial (if IPv4/IPv6 are// not present) + TLS ClientHello.//// As a special case, if CertName starts with "sha256-raw:",// then the rest of the string is a hex-encoded SHA256 of the// cert to expect. This is used for self-signed certs.// In this case, the HostName field will typically be an IP// address literal.CertNamestring `json:",omitempty"`// IPv4 optionally forces an IPv4 address to use, instead of using DNS.// If empty, A record(s) from DNS lookups of HostName are used.// If the string is not an IPv4 address, IPv4 is not used; the// conventional string to disable IPv4 (and not use DNS) is// "none".IPv4string `json:",omitempty"`// IPv6 optionally forces an IPv6 address to use, instead of using DNS.// If empty, AAAA record(s) from DNS lookups of HostName are used.// If the string is not an IPv6 address, IPv6 is not used; the// conventional string to disable IPv6 (and not use DNS) is// "none".IPv6string `json:",omitempty"`// Port optionally specifies a STUN port to use.// Zero means 3478.// To disable STUN on this node, use -1.STUNPortint `json:",omitempty"`// STUNOnly marks a node as only a STUN server and not a DERP// server.STUNOnlybool `json:",omitempty"`// DERPPort optionally provides an alternate TLS port number// for the DERP HTTPS server.//// If zero, 443 is used.DERPPortint `json:",omitempty"`// InsecureForTests is used by unit tests to disable TLS verification.// It should not be set by users.InsecureForTestsbool `json:",omitempty"`// STUNTestIP is used in tests to override the STUN server's IP.// If empty, it's assumed to be the same as the DERP server.STUNTestIPstring `json:",omitempty"`// CanPort80 specifies whether this DERP node is accessible over HTTP// on port 80 specifically. This is used for captive portal checks.CanPort80bool `json:",omitempty"`}

func (*DERPNode)Clone¶added inv1.10.0

func (src *DERPNode) Clone() *DERPNode

Clone makes a deep copy of DERPNode.The result aliases no memory with the original.

func (*DERPNode)IsTestNode¶added inv1.66.0

func (n *DERPNode) IsTestNode()bool

func (*DERPNode)View¶added inv1.26.0

func (p *DERPNode) View()DERPNodeView

View returns a read-only view of DERPNode.

type DERPNodeView struct {// contains filtered or unexported fields}

func (DERPNodeView)AsStruct¶added inv1.26.0

func (vDERPNodeView) AsStruct() *DERPNode

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (DERPNodeView)CanPort80¶added inv1.40.0

func (vDERPNodeView) CanPort80()bool

CanPort80 specifies whether this DERP node is accessible over HTTPon port 80 specifically. This is used for captive portal checks.

func (DERPNodeView)CertName¶added inv1.26.0

func (vDERPNodeView) CertName()string

CertName optionally specifies the expected TLS cert commonname. If empty, HostName is used. If CertName is non-empty,HostName is only used for the TCP dial (if IPv4/IPv6 arenot present) + TLS ClientHello.

As a special case, if CertName starts with "sha256-raw:",then the rest of the string is a hex-encoded SHA256 of thecert to expect. This is used for self-signed certs.In this case, the HostName field will typically be an IPaddress literal.

func (DERPNodeView)DERPPort¶added inv1.26.0

func (vDERPNodeView) DERPPort()int

DERPPort optionally provides an alternate TLS port numberfor the DERP HTTPS server.

If zero, 443 is used.

func (DERPNodeView)HostName¶added inv1.26.0

func (vDERPNodeView) HostName()string

HostName is the DERP node's hostname.

It is required but need not be unique; multiple nodes mayhave the same HostName but vary in configuration otherwise.

func (DERPNodeView)IPv4¶added inv1.26.0

func (vDERPNodeView) IPv4()string

IPv4 optionally forces an IPv4 address to use, instead of using DNS.If empty, A record(s) from DNS lookups of HostName are used.If the string is not an IPv4 address, IPv4 is not used; theconventional string to disable IPv4 (and not use DNS) is"none".

func (DERPNodeView)IPv6¶added inv1.26.0

func (vDERPNodeView) IPv6()string

IPv6 optionally forces an IPv6 address to use, instead of using DNS.If empty, AAAA record(s) from DNS lookups of HostName are used.If the string is not an IPv6 address, IPv6 is not used; theconventional string to disable IPv6 (and not use DNS) is"none".

func (DERPNodeView)InsecureForTests¶added inv1.26.0

func (vDERPNodeView) InsecureForTests()bool

InsecureForTests is used by unit tests to disable TLS verification.It should not be set by users.

func (DERPNodeView)MarshalJSON¶added inv1.26.0

func (vDERPNodeView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (DERPNodeView)MarshalJSONTo¶added inv1.88.0

func (vDERPNodeView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (DERPNodeView)Name¶added inv1.26.0

func (vDERPNodeView) Name()string

Name is a unique node name (across all regions).It is not a host name.It's typically of the form "1b", "2a", "3b", etc. (regionID + suffix within that region)

func (DERPNodeView)RegionID¶added inv1.26.0

func (vDERPNodeView) RegionID()int

RegionID is the RegionID of the DERPRegion that this nodeis running in.

func (DERPNodeView)STUNOnly¶added inv1.26.0

func (vDERPNodeView) STUNOnly()bool

STUNOnly marks a node as only a STUN server and not a DERPserver.

func (DERPNodeView)STUNPort¶added inv1.26.0

func (vDERPNodeView) STUNPort()int

Port optionally specifies a STUN port to use.Zero means 3478.To disable STUN on this node, use -1.

func (DERPNodeView)STUNTestIP¶added inv1.26.0

func (vDERPNodeView) STUNTestIP()string

STUNTestIP is used in tests to override the STUN server's IP.If empty, it's assumed to be the same as the DERP server.

func (*DERPNodeView)UnmarshalJSON¶added inv1.26.0

func (v *DERPNodeView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*DERPNodeView)UnmarshalJSONFrom¶added inv1.88.0

func (v *DERPNodeView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (DERPNodeView)Valid¶added inv1.26.0

func (vDERPNodeView) Valid()bool

Valid reports whether v's underlying value is non-nil.

type DERPRegion struct {// RegionID is a unique integer for a geographic region.//// It corresponds to the legacy derpN.tailscale.com hostnames// used by older clients. (Older clients will continue to resolve// derpN.tailscale.com when contacting peers, rather than use// the server-provided DERPMap)//// RegionIDs must be non-zero, positive, and guaranteed to fit// in a JavaScript number.//// RegionIDs in range 900-999 are reserved for end users to run their// own DERP nodes.RegionIDint// RegionCode is a short name for the region. It's usually a popular// city or airport code in the region: "nyc", "sf", "sin",// "fra", etc.RegionCodestring// RegionName is a long English name for the region: "New York City",// "San Francisco", "Singapore", "Frankfurt", etc.RegionNamestring// Latitude, Longitude are optional geographical coordinates of the DERP region's city, in degrees.Latitudefloat64 `json:",omitempty"`Longitudefloat64 `json:",omitempty"`// Avoid is whether the client should avoid picking this as its home region.// The region should only be used if a peer is there. Clients already using// this region as their home should migrate away to a new region without// Avoid set.//// Deprecated: because of bugs in past implementations combined with unclear// docs that caused people to think the bugs were intentional, this field is// deprecated. It was never supposed to cause STUN/DERP measurement probes,// but due to bugs, it sometimes did. And then some parts of the code began// to rely on that property. But then we were unable to use this field for// its original purpose, nor its later imagined purpose, because various// parts of the codebase thought it meant one thing and others thought it// meant another. But it did something in the middle instead. So we're retiring// it. Use NoMeasureNoHome instead.Avoidbool `json:",omitempty"`// NoMeasureNoHome says that this regions should not be measured for its// latency distance (STUN, HTTPS, etc) or availability (e.g. captive portal// checks) and should never be selected as the node's home region. However,// if a peer declares this region as its home, then this client is allowed// to connect to it for the purpose of communicating with that peer.//// This is what the now deprecated Avoid bool was supposed to mean// originally but had implementation bugs and documentation omissions.NoMeasureNoHomebool `json:",omitempty"`// Nodes are the DERP nodes running in this region, in// priority order for the current client. Client TLS// connections should ideally only go to the first entry// (falling back to the second if necessary). STUN packets// should go to the first 1 or 2.//// If nodes within a region route packets amongst themselves,// but not to other regions. That said, each user/domain// should get a the same preferred node order, so if all nodes// for a user/network pick the first one (as they should, when// things are healthy), the inter-cluster routing is minimal// to zero.Nodes []*DERPNode}

func (*DERPRegion)Clone¶added inv1.10.0

func (src *DERPRegion) Clone() *DERPRegion

Clone makes a deep copy of DERPRegion.The result aliases no memory with the original.

func (*DERPRegion)View¶added inv1.26.0

func (p *DERPRegion) View()DERPRegionView

View returns a read-only view of DERPRegion.

type DERPRegionView struct {// contains filtered or unexported fields}

func (DERPRegionView)AsStruct¶added inv1.26.0

func (vDERPRegionView) AsStruct() *DERPRegion

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (DERPRegionView)Latitude¶added inv1.62.0

func (vDERPRegionView) Latitude()float64

Latitude, Longitude are optional geographical coordinates of the DERP region's city, in degrees.

func (DERPRegionView)Longitude¶added inv1.62.0

func (vDERPRegionView) Longitude()float64

func (DERPRegionView)MarshalJSON¶added inv1.26.0

func (vDERPRegionView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (DERPRegionView)MarshalJSONTo¶added inv1.88.0

func (vDERPRegionView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (DERPRegionView)NoMeasureNoHome¶added inv1.82.0

func (vDERPRegionView) NoMeasureNoHome()bool

NoMeasureNoHome says that this regions should not be measured for itslatency distance (STUN, HTTPS, etc) or availability (e.g. captive portalchecks) and should never be selected as the node's home region. However,if a peer declares this region as its home, then this client is allowedto connect to it for the purpose of communicating with that peer.

This is what the now deprecated Avoid bool was supposed to meanoriginally but had implementation bugs and documentation omissions.

func (DERPRegionView)Nodes¶added inv1.26.0

func (vDERPRegionView) Nodes()views.SliceView[*DERPNode,DERPNodeView]

Nodes are the DERP nodes running in this region, inpriority order for the current client. Client TLSconnections should ideally only go to the first entry(falling back to the second if necessary). STUN packetsshould go to the first 1 or 2.

If nodes within a region route packets amongst themselves,but not to other regions. That said, each user/domainshould get a the same preferred node order, so if all nodesfor a user/network pick the first one (as they should, whenthings are healthy), the inter-cluster routing is minimalto zero.

func (DERPRegionView)RegionCode¶added inv1.26.0

func (vDERPRegionView) RegionCode()string

RegionCode is a short name for the region. It's usually a popularcity or airport code in the region: "nyc", "sf", "sin","fra", etc.

func (DERPRegionView)RegionID¶added inv1.26.0

func (vDERPRegionView) RegionID()int

RegionID is a unique integer for a geographic region.

It corresponds to the legacy derpN.tailscale.com hostnamesused by older clients. (Older clients will continue to resolvederpN.tailscale.com when contacting peers, rather than usethe server-provided DERPMap)

RegionIDs must be non-zero, positive, and guaranteed to fitin a JavaScript number.

RegionIDs in range 900-999 are reserved for end users to run theirown DERP nodes.

func (DERPRegionView)RegionName¶added inv1.26.0

func (vDERPRegionView) RegionName()string

RegionName is a long English name for the region: "New York City","San Francisco", "Singapore", "Frankfurt", etc.

func (*DERPRegionView)UnmarshalJSON¶added inv1.26.0

func (v *DERPRegionView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*DERPRegionView)UnmarshalJSONFrom¶added inv1.88.0

func (v *DERPRegionView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (DERPRegionView)Valid¶added inv1.26.0

func (vDERPRegionView) Valid()bool

Valid reports whether v's underlying value is non-nil.

type DNSConfig struct {// Resolvers are the DNS resolvers to use, in order of preference.Resolvers []*dnstype.Resolver `json:",omitempty"`// Routes maps DNS name suffixes to a set of DNS resolvers to// use. It is used to implement "split DNS" and other advanced DNS// routing overlays.//// Map keys are fully-qualified DNS name suffixes; they may// optionally contain a trailing dot but no leading dot.//// If the value is an empty slice, that means the suffix should still// be handled by Tailscale's built-in resolver (100.100.100.100), such// as for the purpose of handling ExtraRecords.Routes map[string][]*dnstype.Resolver `json:",omitempty"`// FallbackResolvers is like Resolvers, but is only used if a// split DNS configuration is requested in a configuration that// doesn't work yet without explicit default resolvers.//https://github.com/tailscale/tailscale/issues/1743FallbackResolvers []*dnstype.Resolver `json:",omitempty"`// Domains are the search domains to use.// Search domains must be FQDNs, but *without* the trailing dot.Domains []string `json:",omitempty"`// Proxied turns on automatic resolution of hostnames for devices// in the network map, aka MagicDNS.// Despite the (legacy) name, does not necessarily cause request// proxying to be enabled.Proxiedbool `json:",omitzero"`// Nameservers are the IP addresses of the global nameservers to use.//// Deprecated: this is only set and used by MapRequest.Version >=9 and <14. Use Resolvers instead.Nameservers []netip.Addr `json:",omitempty"`// CertDomains are the set of DNS names for which the control// plane server will assist with provisioning TLS// certificates. See SetDNSRequest, which can be used to// answer dns-01 ACME challenges for e.g. LetsEncrypt.// These names are FQDNs without trailing periods, and without// any "_acme-challenge." prefix.CertDomains []string `json:",omitempty"`// ExtraRecords contains extra DNS records to add to the// MagicDNS config.ExtraRecords []DNSRecord `json:",omitempty"`// ExitNodeFilteredSuffixes are the DNS suffixes that the// node, when being an exit node DNS proxy, should not answer.//// The entries do not contain trailing periods and are always// all lowercase.//// If an entry starts with a period, it's a suffix match (but// suffix ".a.b" doesn't match "a.b"; a prefix is required).//// If an entry does not start with a period, it's an exact// match.//// Matches are case insensitive.ExitNodeFilteredSet []string `json:",omitempty"`// TempCorpIssue13969 is a temporary (2023-08-16) field for an internal hack day prototype.// It contains a user inputed URL that should have a list of domains to be blocked.// Seehttps://github.com/tailscale/corp/issues/13969.TempCorpIssue13969string `json:",omitzero"`}

func (*DNSConfig)Clone¶added inv1.2.0

func (src *DNSConfig) Clone() *DNSConfig

Clone makes a deep copy of DNSConfig.The result aliases no memory with the original.

func (*DNSConfig)View¶added inv1.26.0

func (p *DNSConfig) View()DNSConfigView

View returns a read-only view of DNSConfig.

type DNSConfigView struct {// contains filtered or unexported fields}

func (DNSConfigView)AsStruct¶added inv1.26.0

func (vDNSConfigView) AsStruct() *DNSConfig

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (DNSConfigView)CertDomains¶added inv1.26.0

func (vDNSConfigView) CertDomains()views.Slice[string]

CertDomains are the set of DNS names for which the controlplane server will assist with provisioning TLScertificates. See SetDNSRequest, which can be used toanswer dns-01 ACME challenges for e.g. LetsEncrypt.These names are FQDNs without trailing periods, and withoutany "_acme-challenge." prefix.

func (DNSConfigView)Domains¶added inv1.26.0

func (vDNSConfigView) Domains()views.Slice[string]

Domains are the search domains to use.Search domains must be FQDNs, but *without* the trailing dot.

func (DNSConfigView)ExitNodeFilteredSet¶added inv1.26.0

func (vDNSConfigView) ExitNodeFilteredSet()views.Slice[string]

ExitNodeFilteredSuffixes are the DNS suffixes that thenode, when being an exit node DNS proxy, should not answer.

The entries do not contain trailing periods and are alwaysall lowercase.

If an entry starts with a period, it's a suffix match (butsuffix ".a.b" doesn't match "a.b"; a prefix is required).

If an entry does not start with a period, it's an exactmatch.

Matches are case insensitive.

func (DNSConfigView)ExtraRecords¶added inv1.26.0

func (vDNSConfigView) ExtraRecords()views.Slice[DNSRecord]

ExtraRecords contains extra DNS records to add to theMagicDNS config.

func (DNSConfigView)FallbackResolvers¶added inv1.26.0

func (vDNSConfigView) FallbackResolvers()views.SliceView[*dnstype.Resolver,dnstype.ResolverView]

FallbackResolvers is like Resolvers, but is only used if asplit DNS configuration is requested in a configuration thatdoesn't work yet without explicit default resolvers.https://github.com/tailscale/tailscale/issues/1743

func (DNSConfigView)MarshalJSON¶added inv1.26.0

func (vDNSConfigView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (DNSConfigView)MarshalJSONTo¶added inv1.88.0

func (vDNSConfigView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (DNSConfigView)Proxied¶added inv1.26.0

func (vDNSConfigView) Proxied()bool

Proxied turns on automatic resolution of hostnames for devicesin the network map, aka MagicDNS.Despite the (legacy) name, does not necessarily cause requestproxying to be enabled.

func (DNSConfigView)Resolvers¶added inv1.26.0

func (vDNSConfigView) Resolvers()views.SliceView[*dnstype.Resolver,dnstype.ResolverView]

Resolvers are the DNS resolvers to use, in order of preference.

func (DNSConfigView)Routes¶added inv1.26.0

func (vDNSConfigView) Routes()views.MapFn[string, []*dnstype.Resolver,views.SliceView[*dnstype.Resolver,dnstype.ResolverView]]

Routes maps DNS name suffixes to a set of DNS resolvers touse. It is used to implement "split DNS" and other advanced DNSrouting overlays.

Map keys are fully-qualified DNS name suffixes; they mayoptionally contain a trailing dot but no leading dot.

If the value is an empty slice, that means the suffix should stillbe handled by Tailscale's built-in resolver (100.100.100.100), suchas for the purpose of handling ExtraRecords.

func (DNSConfigView)TempCorpIssue13969¶added inv1.50.0

func (vDNSConfigView) TempCorpIssue13969()string

TempCorpIssue13969 is a temporary (2023-08-16) field for an internal hack day prototype.It contains a user inputed URL that should have a list of domains to be blocked.Seehttps://github.com/tailscale/corp/issues/13969.

func (*DNSConfigView)UnmarshalJSON¶added inv1.26.0

func (v *DNSConfigView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*DNSConfigView)UnmarshalJSONFrom¶added inv1.88.0

func (v *DNSConfigView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (DNSConfigView)Valid¶added inv1.26.0

func (vDNSConfigView) Valid()bool

Valid reports whether v's underlying value is non-nil.

type DNSRecord struct {// Name is the fully qualified domain name of// the record to add. The trailing dot is optional.Namestring// Type is the DNS record type.// Empty means A or AAAA, depending on value.// Other values are currently ignored.Typestring `json:",omitzero"`// Value is the IP address in string form.// TODO(bradfitz): if we ever add support for record types// with non-UTF8 binary data, add ValueBytes []byte that// would take precedence.Valuestring}

type Debug struct {// SleepSeconds requests that the client sleep for the// provided number of seconds.// The client can (and should) limit the value (such as 5// minutes). This exists as a safety measure to slow down// spinning clients, in case we introduce a bug in the// state machine.SleepSecondsfloat64 `json:",omitempty"`// DisableLogTail disables the logtail package. Once disabled it can't be// re-enabled for the lifetime of the process.//// This is primarily used by Headscale.DisableLogTailbool `json:",omitempty"`// Exit optionally specifies that the client should os.Exit// with this code. This is a safety measure in case a client is crash// looping or in an unsafe state and we need to remotely shut it down.Exit *int `json:",omitempty"`}

type DisplayMessage struct {// Title is a string that the GUI uses as title for this message. The title// should be short and fit in a single line. It should not end in a period.//// Example: "Network may be blocking Tailscale".//// See the various instantiations of [health.Warnable] for more examples.Titlestring// Text is an extended string that the GUI will display to the user. This// could be multiple sentences explaining the issue in more detail.//// Example: "macOS Screen Time seems to be blocking Tailscale. Try disabling// Screen Time in System Settings > Screen Time > Content & Privacy > Access// to Web Content."//// See the various instantiations of [health.Warnable] for more examples.Textstring// Severity is the severity of the DisplayMessage, which the GUI can use to// determine how to display it. Maps to [health.Severity].SeverityDisplayMessageSeverity// ImpactsConnectivity is whether the health problem will impact the user's// ability to connect to the Internet or other nodes on the tailnet, which// the GUI can use to determine how to display it.ImpactsConnectivitybool `json:",omitempty"`// Primary action, if present, represents the action to allow the user to// take when interacting with this message. For example, if the// DisplayMessage is shown via a notification, the action label might be a// button on that notification and clicking the button would open the URL.PrimaryAction *DisplayMessageAction `json:",omitempty"`}

func (DisplayMessage)Equal¶added inv1.86.0

func (mDisplayMessage) Equal(oDisplayMessage)bool

Equal returns true iff all fields are equal.

type DisplayMessageAction struct {// URL is the URL to navigate to when the user interacts with this actionURLstring// Label is the call to action for the UI to display on the UI element that// will open the URL (such as a button or link). For example, "Sign in" or// "Learn more".Labelstring}

type DisplayMessageIDstring

type DisplayMessageSeveritystring

type EarlyNoise struct {// NodeKeyChallenge is a random per-connection public key to be used by// the client to prove possession of a wireguard private key.NodeKeyChallengekey.ChallengePublic `json:"nodeKeyChallenge"`}

type Endpoint struct {Addrnetip.AddrPortTypeEndpointType}

type EndpointTypeint

func (EndpointType)String¶added inv1.8.0

func (etEndpointType) String()string

type FilterRule struct {// SrcIPs are the source IPs/networks to match.//// It may take the following forms://     * an IP address (IPv4 or IPv6)//     * the string "*" to match everything (both IPv4 & IPv6)//     * a CIDR (e.g. "192.168.0.0/16")//     * a range of two IPs, inclusive, separated by hyphen ("2eff::1-2eff::0800")//     * a string "cap:<capability>" with NodeCapMap cap nameSrcIPs []string// SrcBits is deprecated; it was the old way to specify a CIDR// prior to CapabilityVersion 7. Its values correspond to the// SrcIPs above.//// If an entry of SrcBits is present for the same index as a// SrcIPs entry, it changes the SrcIP above to be a network// with /n CIDR bits. If the slice is nil or insufficiently// long, the default value (for an IPv4 address) for a// position is 32, as if the SrcIPs above were a /32 mask. For// a "*" SrcIPs value, the corresponding SrcBits value is// ignored.//// This is still present in this file because the Tailscale control plane// code still uses this type, for 118 clients that are still connected as of// 2024-06-18, 3.5 years after the last release that used this type.SrcBits []int `json:",omitempty"`// DstPorts are the port ranges to allow once a source IP// matches (is in the CIDR described by SrcIPs).//// CapGrant and DstPorts are mutually exclusive: at most one can be non-nil.DstPorts []NetPortRange `json:",omitempty"`// IPProto are the IP protocol numbers to match.//// As a special case, nil or empty means TCP, UDP, and ICMP.//// Numbers outside the uint8 range (below 0 or above 255) are// reserved for Tailscale's use. Unknown ones are ignored.//// Depending on the IPProto values, DstPorts may or may not be// used.IPProto []int `json:",omitempty"`// CapGrant, if non-empty, are the capabilities to// conditionally grant to the source IP in SrcIPs.//// Think of DstPorts as "capabilities for networking" and// CapGrant as arbitrary application-defined capabilities// defined between the admin's ACLs and the application// doing WhoIs lookups, looking up the remote IP address's// application-level capabilities.//// CapGrant and DstPorts are mutually exclusive: at most one can be non-nil.CapGrant []CapGrant `json:",omitempty"`}

type HealthChangeRequest struct {Subsysstring// a health.Subsystem value in string formErrorstring// or empty if cleared// NodeKey is the client's current node key.// In clients <= 1.62.0 it was always the zero value.NodeKeykey.NodePublic}

type Hostinfo struct {IPNVersionstring `json:",omitzero"`// version of this code (in version.Long format)FrontendLogIDstring `json:",omitzero"`// logtail ID of frontend instanceBackendLogIDstring `json:",omitzero"`// logtail ID of backend instanceOSstring `json:",omitzero"`// operating system the client runs on (a version.OS value)// OSVersion is the version of the OS, if available.//// For Android, it's like "10", "11", "12", etc. For iOS and macOS it's like// "15.6.1" or "12.4.0". For Windows it's like "10.0.19044.1889". For// FreeBSD it's like "12.3-STABLE".//// For Linux, prior to Tailscale 1.32, we jammed a bunch of fields into this// string on Linux, like "Debian 10.4; kernel=xxx; container; env=kn" and so// on. As of Tailscale 1.32, this is simply the kernel version on Linux, like// "5.10.0-17-amd64".OSVersionstring `json:",omitzero"`Containeropt.Bool `json:",omitzero"`// best-effort whether the client is running in a containerEnvstring   `json:",omitzero"`// a hostinfo.EnvType in string formDistrostring   `json:",omitzero"`// "debian", "ubuntu", "nixos", ...DistroVersionstring   `json:",omitzero"`// "20.04", ...DistroCodeNamestring   `json:",omitzero"`// "jammy", "bullseye", ...// App is used to disambiguate Tailscale clients that run using tsnet.Appstring `json:",omitzero"`// "k8s-operator", "golinks", ...Desktopopt.Bool `json:",omitzero"`// if a desktop was detected on LinuxPackagestring   `json:",omitzero"`// Tailscale package to disambiguate ("choco", "appstore", etc; "" for unknown)DeviceModelstring   `json:",omitzero"`// mobile phone model ("Pixel 3a", "iPhone12,3")PushDeviceTokenstring   `json:",omitzero"`// macOS/iOS APNs device token for notifications (and Android in the future)Hostnamestring   `json:",omitzero"`// name of the host the client runs onShieldsUpbool     `json:",omitzero"`// indicates whether the host is blocking incoming connectionsShareeNodebool     `json:",omitzero"`// indicates this node exists in netmap because it's owned by a shared-to userNoLogsNoSupportbool     `json:",omitzero"`// indicates that the user has opted out of sending logs and support// WireIngress indicates that the node would like to be wired up server-side// (DNS, etc) to be able to use Tailscale Funnel, even if it's not currently// enabled. For example, the user might only use it for intermittent// foreground CLI serve sessions, for which they'd like it to work right// away, even if it's disabled most of the time. As an optimization, this is// only sent if IngressEnabled is false, as IngressEnabled implies that this// option is true.WireIngressbool           `json:",omitzero"`IngressEnabledbool           `json:",omitzero"`// if the node has any funnel endpoint enabledAllowsUpdatebool           `json:",omitzero"`// indicates that the node has opted-in to admin-console-drive remote updatesMachinestring         `json:",omitzero"`// the current host's machine type (uname -m)GoArchstring         `json:",omitzero"`// GOARCH value (of the built binary)GoArchVarstring         `json:",omitzero"`// GOARM, GOAMD64, etc (of the built binary)GoVersionstring         `json:",omitzero"`// Go version binary was built withRoutableIPs     []netip.Prefix `json:",omitempty"`// set of IP ranges this client can routeRequestTags     []string       `json:",omitempty"`// set of ACL tags this node wants to claimWoLMACs         []string       `json:",omitempty"`// MAC address(es) to send Wake-on-LAN packets to wake this node (lowercase hex w/ colons)Services        []Service      `json:",omitempty"`// services advertised by this machineNetInfo         *NetInfo       `json:",omitzero"`SSH_HostKeys    []string       `json:"sshHostKeys,omitempty"`// if advertisedCloudstring         `json:",omitzero"`Userspaceopt.Bool       `json:",omitzero"`// if the client is running in userspace (netstack) modeUserspaceRouteropt.Bool       `json:",omitzero"`// if the client's subnet router is running in userspace (netstack) modeAppConnectoropt.Bool       `json:",omitzero"`// if the client is running the app-connector serviceServicesHashstring         `json:",omitzero"`// opaque hash of the most recent list of tailnet services, change in hash indicates config should be fetched via c2nExitNodeIDStableNodeID   `json:",omitzero"`// the client’s selected exit node, empty when unselected.// Location represents geographical location data about a// Tailscale host. Location is optional and only set if// explicitly declared by a node.Location *Location `json:",omitzero"`TPM *TPMInfo `json:",omitzero"`// TPM device metadata, if available// StateEncrypted reports whether the node state is stored encrypted on// disk. The actual mechanism is platform-specific://   * Apple nodes use the Keychain//   * Linux and Windows nodes use the TPM//   * Android apps use EncryptedSharedPreferencesStateEncryptedopt.Bool `json:",omitzero"`}

func (*Hostinfo)CheckRequestTags¶added inv1.4.0

func (h *Hostinfo) CheckRequestTags()error

CheckRequestTags checks that all of h.RequestTags are valid.

func (*Hostinfo)Clone¶

func (src *Hostinfo) Clone() *Hostinfo

Clone makes a deep copy of Hostinfo.The result aliases no memory with the original.

func (*Hostinfo)Equal¶

func (h *Hostinfo) Equal(h2 *Hostinfo)bool

Equal reports whether h and h2 are equal.

func (*Hostinfo)TailscaleSSHEnabled¶added inv1.28.0

func (hi *Hostinfo) TailscaleSSHEnabled()bool

TailscaleSSHEnabled reports whether or not this node is acting as aTailscale SSH server.

func (*Hostinfo)View¶added inv1.22.0

func (p *Hostinfo) View()HostinfoView

View returns a read-only view of Hostinfo.

type HostinfoView struct {// contains filtered or unexported fields}

func (HostinfoView)AllowsUpdate¶added inv1.36.0

func (vHostinfoView) AllowsUpdate()bool

indicates that the node has opted-in to admin-console-drive remote updates

func (HostinfoView)App¶added inv1.38.0

func (vHostinfoView) App()string

App is used to disambiguate Tailscale clients that run using tsnet.

func (HostinfoView)AppConnector¶added inv1.54.0

func (vHostinfoView) AppConnector()opt.Bool

if the client is running the app-connector service

func (HostinfoView)AsStruct¶added inv1.22.0

func (vHostinfoView) AsStruct() *Hostinfo

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (HostinfoView)BackendLogID¶added inv1.22.0

func (vHostinfoView) BackendLogID()string

logtail ID of backend instance

func (HostinfoView)Cloud¶added inv1.28.0

func (vHostinfoView) Cloud()string

func (HostinfoView)Container¶added inv1.32.0

func (vHostinfoView) Container()opt.Bool

best-effort whether the client is running in a container

func (HostinfoView)Desktop¶added inv1.26.0

func (vHostinfoView) Desktop()opt.Bool

if a desktop was detected on Linux

func (HostinfoView)DeviceModel¶added inv1.22.0

func (vHostinfoView) DeviceModel()string

mobile phone model ("Pixel 3a", "iPhone12,3")

func (HostinfoView)Distro¶added inv1.32.0

func (vHostinfoView) Distro()string

"debian", "ubuntu", "nixos", ...

func (HostinfoView)DistroCodeName¶added inv1.32.0

func (vHostinfoView) DistroCodeName()string

"jammy", "bullseye", ...

func (HostinfoView)DistroVersion¶added inv1.32.0

func (vHostinfoView) DistroVersion()string

"20.04", ...

func (HostinfoView)Env¶added inv1.32.0

func (vHostinfoView) Env()string

a hostinfo.EnvType in string form

func (HostinfoView)Equal¶added inv1.22.0

func (vHostinfoView) Equal(v2HostinfoView)bool

func (HostinfoView)ExitNodeID¶added inv1.86.0

func (vHostinfoView) ExitNodeID()StableNodeID

the client’s selected exit node, empty when unselected.

func (HostinfoView)FrontendLogID¶added inv1.22.0

func (vHostinfoView) FrontendLogID()string

logtail ID of frontend instance

func (HostinfoView)GoArch¶added inv1.22.0

func (vHostinfoView) GoArch()string

GOARCH value (of the built binary)

func (HostinfoView)GoArchVar¶added inv1.36.0

func (vHostinfoView) GoArchVar()string

GOARM, GOAMD64, etc (of the built binary)

func (HostinfoView)GoVersion¶added inv1.30.0

func (vHostinfoView) GoVersion()string

Go version binary was built with

func (HostinfoView)Hostname¶added inv1.22.0

func (vHostinfoView) Hostname()string

name of the host the client runs on

func (HostinfoView)IPNVersion¶added inv1.22.0

func (vHostinfoView) IPNVersion()string

version of this code (in version.Long format)

func (HostinfoView)IngressEnabled¶added inv1.80.0

func (vHostinfoView) IngressEnabled()bool

if the node has any funnel endpoint enabled

func (HostinfoView)Location¶added inv1.46.0

func (vHostinfoView) Location()LocationView

Location represents geographical location data about aTailscale host. Location is optional and only set ifexplicitly declared by a node.

func (HostinfoView)Machine¶added inv1.36.0

func (vHostinfoView) Machine()string

the current host's machine type (uname -m)

func (HostinfoView)MarshalJSON¶added inv1.22.0

func (vHostinfoView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (HostinfoView)MarshalJSONTo¶added inv1.88.0

func (vHostinfoView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (HostinfoView)NetInfo¶added inv1.22.0

func (vHostinfoView) NetInfo()NetInfoView

func (HostinfoView)NoLogsNoSupport¶added inv1.32.0

func (vHostinfoView) NoLogsNoSupport()bool

indicates that the user has opted out of sending logs and support

func (HostinfoView)OS¶added inv1.22.0

func (vHostinfoView) OS()string

operating system the client runs on (a version.OS value)

func (HostinfoView)OSVersion¶added inv1.22.0

func (vHostinfoView) OSVersion()string

OSVersion is the version of the OS, if available.

For Android, it's like "10", "11", "12", etc. For iOS and macOS it's like"15.6.1" or "12.4.0". For Windows it's like "10.0.19044.1889". ForFreeBSD it's like "12.3-STABLE".

For Linux, prior to Tailscale 1.32, we jammed a bunch of fields into thisstring on Linux, like "Debian 10.4; kernel=xxx; container; env=kn" and soon. As of Tailscale 1.32, this is simply the kernel version on Linux, like"5.10.0-17-amd64".

func (HostinfoView)Package¶added inv1.22.0

func (vHostinfoView) Package()string

Tailscale package to disambiguate ("choco", "appstore", etc; "" for unknown)

func (HostinfoView)PushDeviceToken¶added inv1.38.0

func (vHostinfoView) PushDeviceToken()string

macOS/iOS APNs device token for notifications (and Android in the future)

func (HostinfoView)RequestTags¶added inv1.22.0

func (vHostinfoView) RequestTags()views.Slice[string]

set of ACL tags this node wants to claim

func (HostinfoView)RoutableIPs¶added inv1.22.0

func (vHostinfoView) RoutableIPs()views.Slice[netip.Prefix]

set of IP ranges this client can route

func (HostinfoView)SSH_HostKeys¶added inv1.22.0

func (vHostinfoView) SSH_HostKeys()views.Slice[string]

if advertised

func (HostinfoView)Services¶added inv1.22.0

func (vHostinfoView) Services()views.Slice[Service]

services advertised by this machine

func (HostinfoView)ServicesHash¶added inv1.78.0

func (vHostinfoView) ServicesHash()string

opaque hash of the most recent list of tailnet services, change in hash indicates config should be fetched via c2n

func (HostinfoView)ShareeNode¶added inv1.22.0

func (vHostinfoView) ShareeNode()bool

indicates this node exists in netmap because it's owned by a shared-to user

func (HostinfoView)ShieldsUp¶added inv1.22.0

func (vHostinfoView) ShieldsUp()bool

indicates whether the host is blocking incoming connections

func (HostinfoView)StateEncrypted¶added inv1.86.0

func (vHostinfoView) StateEncrypted()opt.Bool

StateEncrypted reports whether the node state is stored encrypted ondisk. The actual mechanism is platform-specific:

• Apple nodes use the Keychain
• Linux and Windows nodes use the TPM
• Android apps use EncryptedSharedPreferences

func (HostinfoView)TPM¶added inv1.84.0

func (vHostinfoView) TPM()views.ValuePointer[TPMInfo]

TPM device metadata, if available

func (HostinfoView)TailscaleSSHEnabled¶added inv1.28.0

func (vHostinfoView) TailscaleSSHEnabled()bool

func (*HostinfoView)UnmarshalJSON¶added inv1.22.0

func (v *HostinfoView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*HostinfoView)UnmarshalJSONFrom¶added inv1.88.0

func (v *HostinfoView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (HostinfoView)Userspace¶added inv1.30.0

func (vHostinfoView) Userspace()opt.Bool

if the client is running in userspace (netstack) mode

func (HostinfoView)UserspaceRouter¶added inv1.30.0

func (vHostinfoView) UserspaceRouter()opt.Bool

if the client's subnet router is running in userspace (netstack) mode

func (HostinfoView)Valid¶added inv1.22.0

func (vHostinfoView) Valid()bool

Valid reports whether v's underlying value is non-nil.

func (HostinfoView)WireIngress¶added inv1.34.0

func (vHostinfoView) WireIngress()bool

WireIngress indicates that the node would like to be wired up server-side(DNS, etc) to be able to use Tailscale Funnel, even if it's not currentlyenabled. For example, the user might only use it for intermittentforeground CLI serve sessions, for which they'd like it to work rightaway, even if it's disabled most of the time. As an optimization, this isonly sent if IngressEnabled is false, as IngressEnabled implies that thisoption is true.

func (HostinfoView)WoLMACs¶added inv1.52.0

func (vHostinfoView) WoLMACs()views.Slice[string]

MAC address(es) to send Wake-on-LAN packets to wake this node (lowercase hex w/ colons)

type IDint64

func (ID)String¶

func (idID) String()string

type Location struct {Countrystring `json:",omitempty"`// User friendly country name, with proper capitalization ("Canada")CountryCodestring `json:",omitempty"`// ISO 3166-1 alpha-2 in upper case ("CA")Citystring `json:",omitempty"`// User friendly city name, with proper capitalization ("Squamish")// CityCode is a short code representing the city in upper case.// CityCode is used to disambiguate a city from another location// with the same city name. It uniquely identifies a particular// geographical location, within the tailnet.// IATA, ICAO or ISO 3166-2 codes are recommended ("YSE")CityCodestring `json:",omitempty"`// Latitude, Longitude are optional geographical coordinates of the node, in degrees.// No particular accuracy level is promised; the coordinates may simply be the center of the city or country.Latitudefloat64 `json:",omitempty"`Longitudefloat64 `json:",omitempty"`// Priority determines the order of use of an exit node when a// location based preference matches more than one exit node,// the node with the highest priority wins. Nodes of equal// probability may be selected arbitrarily.//// A value of 0 means the exit node does not have a priority// preference. A negative int is not allowed.Priorityint `json:",omitempty"`}

func (*Location)Clone¶added inv1.46.0

func (src *Location) Clone() *Location

Clone makes a deep copy of Location.The result aliases no memory with the original.

func (*Location)View¶added inv1.46.0

func (p *Location) View()LocationView

View returns a read-only view of Location.

type LocationView struct {// contains filtered or unexported fields}

func (LocationView)AsStruct¶added inv1.46.0

func (vLocationView) AsStruct() *Location

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (LocationView)City¶added inv1.46.0

func (vLocationView) City()string

User friendly city name, with proper capitalization ("Squamish")

func (LocationView)CityCode¶added inv1.46.0

func (vLocationView) CityCode()string

CityCode is a short code representing the city in upper case.CityCode is used to disambiguate a city from another locationwith the same city name. It uniquely identifies a particulargeographical location, within the tailnet.IATA, ICAO or ISO 3166-2 codes are recommended ("YSE")

func (LocationView)Country¶added inv1.46.0

func (vLocationView) Country()string

User friendly country name, with proper capitalization ("Canada")

func (LocationView)CountryCode¶added inv1.46.0

func (vLocationView) CountryCode()string

ISO 3166-1 alpha-2 in upper case ("CA")

func (LocationView)Latitude¶added inv1.62.0

func (vLocationView) Latitude()float64

Latitude, Longitude are optional geographical coordinates of the node, in degrees.No particular accuracy level is promised; the coordinates may simply be the center of the city or country.

func (LocationView)Longitude¶added inv1.62.0

func (vLocationView) Longitude()float64

func (LocationView)MarshalJSON¶added inv1.46.0

func (vLocationView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (LocationView)MarshalJSONTo¶added inv1.88.0

func (vLocationView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (LocationView)Priority¶added inv1.46.0

func (vLocationView) Priority()int

Priority determines the order of use of an exit node when alocation based preference matches more than one exit node,the node with the highest priority wins. Nodes of equalprobability may be selected arbitrarily.

A value of 0 means the exit node does not have a prioritypreference. A negative int is not allowed.

func (*LocationView)UnmarshalJSON¶added inv1.46.0

func (v *LocationView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*LocationView)UnmarshalJSONFrom¶added inv1.88.0

func (v *LocationView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (LocationView)Valid¶added inv1.46.0

func (vLocationView) Valid()bool

Valid reports whether v's underlying value is non-nil.

type Login struct {IDLoginID// unused in the Tailscale clientProviderstring// "google", "github", "okta_foo", etc.LoginNamestring// an email address or "email-ish" string (like alice@github)DisplayNamestring// from the IdPProfilePicURLstring  `json:",omitzero"`// from the IdP// contains filtered or unexported fields}

func (*Login)Clone¶added inv1.2.0

func (src *Login) Clone() *Login

Clone makes a deep copy of Login.The result aliases no memory with the original.

func (*Login)View¶added inv1.26.0

func (p *Login) View()LoginView

View returns a read-only view of Login.

type LoginIDID

func (LoginID)IsZero¶added inv1.2.0

func (uLoginID) IsZero()bool

func (LoginID)String¶

func (idLoginID) String()string

type LoginView struct {// contains filtered or unexported fields}

func (LoginView)AsStruct¶added inv1.26.0

func (vLoginView) AsStruct() *Login

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (LoginView)DisplayName¶added inv1.26.0

func (vLoginView) DisplayName()string

from the IdP

func (LoginView)ID¶added inv1.26.0

func (vLoginView) ID()LoginID

unused in the Tailscale client

func (LoginView)LoginName¶added inv1.26.0

func (vLoginView) LoginName()string

an email address or "email-ish" string (like alice@github)

func (LoginView)MarshalJSON¶added inv1.26.0

func (vLoginView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (LoginView)MarshalJSONTo¶added inv1.88.0

func (vLoginView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (LoginView)ProfilePicURL¶added inv1.26.0

func (vLoginView) ProfilePicURL()string

from the IdP

func (LoginView)Provider¶added inv1.26.0

func (vLoginView) Provider()string

"google", "github", "okta_foo", etc.

func (*LoginView)UnmarshalJSON¶added inv1.26.0

func (v *LoginView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*LoginView)UnmarshalJSONFrom¶added inv1.88.0

func (v *LoginView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (LoginView)Valid¶added inv1.26.0

func (vLoginView) Valid()bool

Valid reports whether v's underlying value is non-nil.

type MachineStatusint

func (MachineStatus)AppendText¶added inv1.50.0

func (mMachineStatus) AppendText(b []byte) ([]byte,error)

func (MachineStatus)MarshalText¶

func (mMachineStatus) MarshalText() ([]byte,error)

func (MachineStatus)String¶

func (mMachineStatus) String()string

func (*MachineStatus)UnmarshalText¶

func (m *MachineStatus) UnmarshalText(b []byte)error

type MapRequest struct {// Version is incremented whenever the client code changes enough that// we want to signal to the control server that we're capable of something// different.//// For current values and history, see the CapabilityVersion type's docs.VersionCapabilityVersionCompressstring `json:",omitzero"`// "zstd" or "" (no compression)KeepAlivebool   `json:",omitzero"`// whether server should send keep-alives back to usNodeKeykey.NodePublicDiscoKeykey.DiscoPublic// HardwareAttestationKey is the public key of the node's hardware-backed// identity attestation key, if any.HardwareAttestationKeykey.HardwareAttestationPublic `json:",omitzero"`// HardwareAttestationKeySignature is the signature of// "$UNIX_TIMESTAMP|$NODE_KEY" using its hardware attestation key, if any.HardwareAttestationKeySignature []byte `json:",omitempty"`// HardwareAttestationKeySignatureTimestamp is the time at which the// HardwareAttestationKeySignature was created, if any. This UNIX timestamp// value is prepended to the node key when signing.HardwareAttestationKeySignatureTimestamptime.Time `json:",omitzero"`// Stream is whether the client wants to receive multiple MapResponses over// the same HTTP connection.//// If false, the server will send a single MapResponse and then close the// connection.//// If true and Version >= 68, the server should treat this as a read-only// request and ignore any Hostinfo or other fields that might be set.Streambool `json:",omitzero"`// Hostinfo is the client's current Hostinfo. Although it is always included// in the request, the server may choose to ignore it when Stream is true// and Version >= 68.Hostinfo *Hostinfo// MapSessionHandle, if non-empty, is a request to reattach to a previous// map session after a previous map session was interrupted for whatever// reason. Its value is an opaque string as returned by// MapResponse.MapSessionHandle.//// When set, the client must also send MapSessionSeq to specify the last// processed message in that prior session.//// The server may choose to ignore the request for any reason and start a// new map session. This is only applicable when Stream is true.MapSessionHandlestring `json:",omitzero"`// MapSessionSeq is the sequence number in the map session identified by// MapSesssionHandle that was most recently processed by the client.// It is only applicable when MapSessionHandle is specified.// If the server chooses to honor the MapSessionHandle request, only sequence// numbers greater than this value will be returned.MapSessionSeqint64 `json:",omitzero"`// Endpoints are the client's magicsock UDP ip:port endpoints (IPv4 or IPv6).// These can be ignored if Stream is true and Version >= 68.Endpoints []netip.AddrPort `json:",omitempty"`// EndpointTypes are the types of the corresponding endpoints in Endpoints.EndpointTypes []EndpointType `json:",omitempty"`// TKAHead describes the hash of the latest AUM applied to the local// tailnet key authority, if one is operating.// It is encoded as tka.AUMHash.MarshalText.TKAHeadstring `json:",omitzero"`// ReadOnly was set when client just wanted to fetch the MapResponse,// without updating their Endpoints. The intended use was for clients to// discover the DERP map at start-up before their first real endpoint// update.//// Deprecated: always false as of Version 68.ReadOnlybool `json:",omitzero"`// OmitPeers is whether the client is okay with the Peers list being omitted// in the response.//// The behavior of OmitPeers being true varies based on Stream and ReadOnly://// If OmitPeers is true, Stream is false, and ReadOnly is false,// then the server will let clients update their endpoints without// breaking existing long-polling (Stream == true) connections.// In this case, the server can omit the entire response; the client// only checks the HTTP response status code.//// If OmitPeers is true, Stream is false, but ReadOnly is true,// then all the response fields are included. (This is what the client does// when initially fetching the DERP map.)OmitPeersbool `json:",omitzero"`// DebugFlags is a list of strings specifying debugging and// development features to enable in handling this map// request. The values are deliberately unspecified, as they get// added and removed all the time during development, and offer no// compatibility promise. To roll out semantic changes, bump// Version instead.//// Current DebugFlags values are://     * "warn-ip-forwarding-off": client is trying to be a subnet//       router but their IP forwarding is broken.//     * "warn-router-unhealthy": client's Router implementation is//       having problems.DebugFlags []string `json:",omitempty"`// ConnectionHandleForTest, if non-empty, is an opaque string sent by the client that// identifies this specific connection to the server. The server may choose to// use this handle to identify the connection for debugging or testing// purposes. It has no semantic meaning.ConnectionHandleForTeststring `json:",omitzero"`}

type MapResponse struct {// MapSessionHandle optionally specifies a unique opaque handle for this// stateful MapResponse session. Servers may choose not to send it, and it's// only sent on the first MapResponse in a stream. The client can determine// whether it's reattaching to a prior stream by seeing whether this value// matches the requested MapRequest.MapSessionHandle.MapSessionHandlestring `json:",omitempty"`// Seq is a sequence number within a named map session (a response where the// first message contains a MapSessionHandle). The Seq number may be omitted// on responses that don't change the state of the stream, such as KeepAlive// or certain types of PingRequests. This is the value to be sent in// MapRequest.MapSessionSeq to resume after this message.Seqint64 `json:",omitempty"`// KeepAlive, if set, represents an empty message just to keep// the connection alive. When true, all other fields except// PingRequest, ControlTime, and PopBrowserURL are ignored.KeepAlivebool `json:",omitempty"`// PingRequest, if non-empty, is a request to the client to// prove it's still there by sending an HTTP request to the// provided URL. No auth headers are necessary.// PingRequest may be sent on any MapResponse (ones with// KeepAlive true or false).PingRequest *PingRequest `json:",omitempty"`// PopBrowserURL, if non-empty, is a URL for the client to// open to complete an action. The client should dup suppress// identical URLs and only open it once for the same URL.PopBrowserURLstring `json:",omitempty"`// Node describes the node making the map request.// Starting with MapRequest.Version 18, nil means unchanged.Node *Node `json:",omitempty"`// DERPMap describe the set of DERP servers available.// A nil value means unchanged.DERPMap *DERPMap `json:",omitempty"`// Peers, if non-empty, is the complete list of peers.// It will be set in the first MapResponse for a long-polled request/response.// Subsequent responses will be delta-encoded if MapRequest.Version >= 5 and server// chooses, in which case Peers will be nil or zero length.// If Peers is non-empty, PeersChanged and PeersRemoved should// be ignored (and should be empty).// Peers is always returned sorted by Node.ID.Peers []*Node `json:",omitempty"`// PeersChanged are the Nodes (identified by their ID) that// have changed or been added since the past update on the// HTTP response. It's not used by the server if MapRequest.Version < 5.// PeersChanged is always returned sorted by Node.ID.PeersChanged []*Node `json:",omitempty"`// PeersRemoved are the NodeIDs that are no longer in the peer list.PeersRemoved []NodeID `json:",omitempty"`// PeersChangedPatch, if non-nil, means that node(s) have changed.// This is a lighter version of the older PeersChanged support that// only supports certain types of updates.//// These are applied after Peers* above, but in practice the// control server should only send these on their own, without// the Peers* fields also set.PeersChangedPatch []*PeerChange `json:",omitempty"`// PeerSeenChange contains information on how to update peers' LastSeen// times. If the value is false, the peer is gone. If the value is true,// the LastSeen time is now. Absent means unchanged.PeerSeenChange map[NodeID]bool `json:",omitempty"`// OnlineChange changes the value of a Peer Node.Online value.OnlineChange map[NodeID]bool `json:",omitempty"`// DNSConfig contains the DNS settings for the client to use.// A nil value means no change from an earlier non-nil value.DNSConfig *DNSConfig `json:",omitempty"`// Domain is the name of the network that this node is// in. It's either of the form "example.com" (for user// foo@example.com, for multi-user networks) or// "foo@gmail.com" (for siloed users on shared email// providers). Its exact form should not be depended on; new// forms are coming later.// If empty, the value is unchanged.Domainstring `json:",omitempty"`// CollectServices reports whether this node's Tailnet has// requested that info about services be included in HostInfo.// If unset, the most recent non-empty MapResponse value in// the HTTP response stream is used.CollectServicesopt.Bool `json:",omitempty"`// PacketFilter are the firewall rules.//// For MapRequest.Version >= 6, a nil value means the most// previously streamed non-nil MapResponse.PacketFilter within// the same HTTP response. A non-nil but empty list always means// no PacketFilter (that is, to block everything).//// Note that this package's type, due its use of a slice and omitempty, is// unable to marshal a zero-length non-nil slice. The control server needs// to marshal this type using a separate type. See MapResponse docs.//// See PacketFilters for the newer way to send PacketFilter updates.PacketFilter []FilterRule `json:",omitempty"`// PacketFilters encodes incremental packet filter updates to the client// without having to send the entire packet filter on any changes as// required by the older PacketFilter (singular) field above. The map keys// are server-assigned arbitrary strings. The map values are the new rules// for that key, or nil to delete it. The client then concatenates all the// rules together to generate the final packet filter. Because the// FilterRules can only match or not match, the ordering of filter rules// doesn't matter. (That said, the client generates the file merged packet// filter rules by concananting all the packet filter rules sorted by the// map key name. But it does so for stability and testability, not// correctness. If something needs to rely on that property, something has// gone wrong.)//// If the server sends a non-nil PacketFilter (above), that is equivalent to// a named packet filter with the key "base". It is valid for the server to// send both PacketFilter and PacketFilters in the same MapResponse or// alternate between them within a session. The PacketFilter is applied// first (if set) and then the PacketFilters.//// As a special case, the map key "*" with a value of nil means to clear all// prior named packet filters (including any implicit "base") before// processing the other map entries.PacketFilters map[string][]FilterRule `json:",omitempty"`// UserProfiles are the user profiles of nodes in the network.// As as of 1.1.541 (mapver 5), this contains new or updated// user profiles only.UserProfiles []UserProfile `json:",omitempty"`// Health, if non-nil, sets the health state of the node from the control// plane's perspective. A nil value means no change from the previous// MapResponse. A non-nil 0-length slice restores the health to good (no// known problems). A non-zero length slice are the list of problems that// the control plane sees.//// Either this will be set, or DisplayMessages will be set, but not both.//// Note that this package's type, due its use of a slice and omitempty, is// unable to marshal a zero-length non-nil slice. The control server needs// to marshal this type using a separate type. See MapResponse docs.Health []string `json:",omitempty"`// DisplayMessages sets the health state of the node from the control// plane's perspective.//// Either this will be set, or Health will be set, but not both.//// The map keys are IDs that uniquely identify the type of health issue. The// map values are the messages. If the server sends down a map with entries,// the client treats it as a patch: new entries are added, keys with a value// of nil are deleted, existing entries with new values are updated. A nil// map and an empty map both mean no change has occurred since the last// update.//// As a special case, the map key "*" with a value of nil means to clear all// prior display messages before processing the other map entries.DisplayMessages map[DisplayMessageID]*DisplayMessage `json:",omitempty"`// SSHPolicy, if non-nil, updates the SSH policy for how incoming// SSH connections should be handled.SSHPolicy *SSHPolicy `json:",omitempty"`// ControlTime, if non-zero, is the current timestamp according to the control server.ControlTime *time.Time `json:",omitempty"`// TKAInfo describes the control plane's view of tailnet// key authority (TKA) state.//// An initial nil TKAInfo indicates that the control plane// believes TKA should not be enabled. An initial non-nil TKAInfo// indicates the control plane believes TKA should be enabled.// A nil TKAInfo in a mapresponse stream (i.e. a 'delta' mapresponse)// indicates no change from the value sent earlier.TKAInfo *TKAInfo `json:",omitempty"`// DomainDataPlaneAuditLogID, if non-empty, is the per-tailnet log ID to be// used when writing data plane audit logs.DomainDataPlaneAuditLogIDstring `json:",omitempty"`// Debug is normally nil, except for when the control server// is setting debug settings on a node.Debug *Debug `json:",omitempty"`// ControlDialPlan tells the client how to connect to the control// server. An initial nil is equivalent to new(ControlDialPlan).// A subsequent streamed nil means no change.ControlDialPlan *ControlDialPlan `json:",omitempty"`// ClientVersion describes the latest client version that's available for// download and whether the client is using it. A nil value means no change// or nothing to report.ClientVersion *ClientVersion `json:",omitempty"`// DeprecatedDefaultAutoUpdate is the default node auto-update setting for this// tailnet. The node is free to opt-in or out locally regardless of this// value. Once this value has been set and stored in the client, future// changes from the control plane are ignored.//// Deprecated: use NodeAttrDefaultAutoUpdate instead. See//https://github.com/tailscale/tailscale/issues/11502.DeprecatedDefaultAutoUpdateopt.Bool `json:"DefaultAutoUpdate,omitempty"`}

type NetInfo struct {// MappingVariesByDestIP says whether the host's NAT mappings// vary based on the destination IP.MappingVariesByDestIPopt.Bool `json:",omitzero"`// WorkingIPv6 is whether the host has IPv6 internet connectivity.WorkingIPv6opt.Bool `json:",omitzero"`// OSHasIPv6 is whether the OS supports IPv6 at all, regardless of// whether IPv6 internet connectivity is available.OSHasIPv6opt.Bool `json:",omitzero"`// WorkingUDP is whether the host has UDP internet connectivity.WorkingUDPopt.Bool `json:",omitzero"`// WorkingICMPv4 is whether ICMPv4 works.// Empty means not checked.WorkingICMPv4opt.Bool `json:",omitzero"`// HavePortMap is whether we have an existing portmap open// (UPnP, PMP, or PCP).HavePortMapbool `json:",omitzero"`// UPnP is whether UPnP appears present on the LAN.// Empty means not checked.UPnPopt.Bool `json:",omitzero"`// PMP is whether NAT-PMP appears present on the LAN.// Empty means not checked.PMPopt.Bool `json:",omitzero"`// PCP is whether PCP appears present on the LAN.// Empty means not checked.PCPopt.Bool `json:",omitzero"`// PreferredDERP is this node's preferred (home) DERP region ID.// This is where the node expects to be contacted to begin a// peer-to-peer connection. The node might be be temporarily// connected to multiple DERP servers (to speak to other nodes// that are located elsewhere) but PreferredDERP is the region ID// that the node subscribes to traffic at.// Zero means disconnected or unknown.PreferredDERPint `json:",omitzero"`// LinkType is the current link type, if known.LinkTypestring `json:",omitzero"`// "wired", "wifi", "mobile" (LTE, 4G, 3G, etc)// DERPLatency is the fastest recent time to reach various// DERP STUN servers, in seconds. The map key is the// "regionID-v4" or "-v6"; it was previously the DERP server's// STUN host:port.//// This should only be updated rarely, or when there's a// material change, as any change here also gets uploaded to// the control plane.DERPLatency map[string]float64 `json:",omitempty"`// FirewallMode encodes both which firewall mode was selected and why.// It is Linux-specific (at least as of 2023-08-19) and is meant to help// debug iptables-vs-nftables issues. The string is of the form// "{nft,ift}-REASON", like "nft-forced" or "ipt-default". Empty means// either not Linux or a configuration in which the host firewall rules// are not managed by tailscaled.FirewallModestring `json:",omitzero"`}

func (*NetInfo)BasicallyEqual¶

func (ni *NetInfo) BasicallyEqual(ni2 *NetInfo)bool

BasicallyEqual reports whether ni and ni2 are basically equal, ignoringchanges in DERP ServerLatency & RegionLatency.

func (*NetInfo)Clone¶

func (src *NetInfo) Clone() *NetInfo

Clone makes a deep copy of NetInfo.The result aliases no memory with the original.

func (*NetInfo)String¶

func (ni *NetInfo) String()string

func (*NetInfo)View¶added inv1.22.0

func (p *NetInfo) View()NetInfoView

View returns a read-only view of NetInfo.

type NetInfoView struct {// contains filtered or unexported fields}

func (NetInfoView)AsStruct¶added inv1.22.0

func (vNetInfoView) AsStruct() *NetInfo

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (NetInfoView)DERPLatency¶added inv1.26.0

func (vNetInfoView) DERPLatency()views.Map[string,float64]

DERPLatency is the fastest recent time to reach variousDERP STUN servers, in seconds. The map key is the"regionID-v4" or "-v6"; it was previously the DERP server'sSTUN host:port.

This should only be updated rarely, or when there's amaterial change, as any change here also gets uploaded tothe control plane.

func (NetInfoView)FirewallMode¶added inv1.48.0

func (vNetInfoView) FirewallMode()string

FirewallMode encodes both which firewall mode was selected and why.It is Linux-specific (at least as of 2023-08-19) and is meant to helpdebug iptables-vs-nftables issues. The string is of the form"{nft,ift}-REASON", like "nft-forced" or "ipt-default". Empty meanseither not Linux or a configuration in which the host firewall rulesare not managed by tailscaled.

func (NetInfoView)HavePortMap¶added inv1.22.0

func (vNetInfoView) HavePortMap()bool

HavePortMap is whether we have an existing portmap open(UPnP, PMP, or PCP).

func (NetInfoView)LinkType¶added inv1.22.0

func (vNetInfoView) LinkType()string

LinkType is the current link type, if known.

func (NetInfoView)MappingVariesByDestIP¶added inv1.22.0

func (vNetInfoView) MappingVariesByDestIP()opt.Bool

MappingVariesByDestIP says whether the host's NAT mappingsvary based on the destination IP.

func (NetInfoView)MarshalJSON¶added inv1.26.0

func (vNetInfoView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (NetInfoView)MarshalJSONTo¶added inv1.88.0

func (vNetInfoView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (NetInfoView)OSHasIPv6¶added inv1.30.0

func (vNetInfoView) OSHasIPv6()opt.Bool

OSHasIPv6 is whether the OS supports IPv6 at all, regardless ofwhether IPv6 internet connectivity is available.

func (NetInfoView)PCP¶added inv1.22.0

func (vNetInfoView) PCP()opt.Bool

PCP is whether PCP appears present on the LAN.Empty means not checked.

func (NetInfoView)PMP¶added inv1.22.0

func (vNetInfoView) PMP()opt.Bool

PMP is whether NAT-PMP appears present on the LAN.Empty means not checked.

func (NetInfoView)PreferredDERP¶added inv1.22.0

func (vNetInfoView) PreferredDERP()int

PreferredDERP is this node's preferred (home) DERP region ID.This is where the node expects to be contacted to begin apeer-to-peer connection. The node might be be temporarilyconnected to multiple DERP servers (to speak to other nodesthat are located elsewhere) but PreferredDERP is the region IDthat the node subscribes to traffic at.Zero means disconnected or unknown.

func (NetInfoView)String¶added inv1.22.0

func (vNetInfoView) String()string

func (NetInfoView)UPnP¶added inv1.22.0

func (vNetInfoView) UPnP()opt.Bool

UPnP is whether UPnP appears present on the LAN.Empty means not checked.

func (*NetInfoView)UnmarshalJSON¶added inv1.26.0

func (v *NetInfoView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*NetInfoView)UnmarshalJSONFrom¶added inv1.88.0

func (v *NetInfoView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (NetInfoView)Valid¶added inv1.22.0

func (vNetInfoView) Valid()bool

Valid reports whether v's underlying value is non-nil.

func (NetInfoView)WorkingICMPv4¶added inv1.30.0

func (vNetInfoView) WorkingICMPv4()opt.Bool

WorkingICMPv4 is whether ICMPv4 works.Empty means not checked.

func (NetInfoView)WorkingIPv6¶added inv1.22.0

func (vNetInfoView) WorkingIPv6()opt.Bool

WorkingIPv6 is whether the host has IPv6 internet connectivity.

func (NetInfoView)WorkingUDP¶added inv1.22.0

func (vNetInfoView) WorkingUDP()opt.Bool

WorkingUDP is whether the host has UDP internet connectivity.

type NetPortRange struct {IPstring// IP, CIDR, Range, or "*" (same formats as FilterRule.SrcIPs)Bits  *int   `json:",omitempty"`// deprecated; the 2020 way to turn IP into a CIDR. See FilterRule.SrcBits.PortsPortRange// contains filtered or unexported fields}

type Node struct {IDNodeIDStableIDStableNodeID// Name is the FQDN of the node.// It is also the MagicDNS name for the node.// It has a trailing dot.// e.g. "host.tail-scale.ts.net."Namestring// User is the user who created the node. If ACL tags are in use for the// node then it doesn't reflect the ACL identity that the node is running// as.UserUserID// Sharer, if non-zero, is the user who shared this node, if different than User.SharerUserID `json:",omitzero"`Keykey.NodePublicKeyExpirytime.Time                  `json:",omitzero"`// the zero value if this node does not expireKeySignaturetkatype.MarshaledSignature `json:",omitempty"`Machinekey.MachinePublic          `json:",omitzero"`DiscoKeykey.DiscoPublic            `json:",omitzero"`// Addresses are the IP addresses of this Node directly.Addresses []netip.Prefix// AllowedIPs are the IP ranges to route to this node.//// As of CapabilityVersion 112, this may be nil (null or undefined) on the wire// to mean the same as Addresses. Internally, it is always filled in with// its possibly-implicit value.AllowedIPs []netip.Prefix `json:",omitzero"`// _not_ omitempty; only nil is specialEndpoints []netip.AddrPort `json:",omitempty"`// IP+port (public via STUN, and local LANs)// LegacyDERPString is this node's home LegacyDERPString region ID integer, but shoved into an// IP:port string for legacy reasons. The IP address is always "127.3.3.40"// (a loopback address (127) followed by the digits over the letters DERP on// a QWERTY keyboard (3.3.40)). The "port number" is the home LegacyDERPString region ID// integer.//// Deprecated: HomeDERP has replaced this, but old servers might still send// this field. See tailscale/tailscale#14636. Do not use this field in code// other than in the upgradeNode func, which canonicalizes it to HomeDERP// if it arrives as a LegacyDERPString string on the wire.LegacyDERPStringstring `json:"DERP,omitzero"`// DERP-in-IP:port ("127.3.3.40:N") endpoint// HomeDERP is the modern version of the DERP string field, with just an// integer. The client advertises support for this as of capver 111.//// HomeDERP may be zero if not (yet) known, but ideally always be non-zero// for magicsock connectivity to function normally.HomeDERPint `json:",omitzero"`// DERP region ID of the node's home DERPHostinfoHostinfoView      `json:",omitzero"`Createdtime.Time         `json:",omitzero"`CapCapabilityVersion `json:",omitzero"`// if non-zero, the node's capability version; old servers might not send// Tags are the list of ACL tags applied to this node.// Tags take the form of `tag:<value>` where value starts// with a letter and only contains alphanumerics and dashes `-`.// Some valid tag examples://   `tag:prod`//   `tag:database`//   `tag:lab-1`Tags []string `json:",omitempty"`// PrimaryRoutes are the routes from AllowedIPs that this node// is currently the primary subnet router for, as determined// by the control plane. It does not include the self address// values from Addresses that are in AllowedIPs.PrimaryRoutes []netip.Prefix `json:",omitempty"`// LastSeen is when the node was last online. It is not// updated when Online is true. It is nil if the current// node doesn't have permission to know, or the node// has never been online.LastSeen *time.Time `json:",omitempty"`// Online is whether the node is currently connected to the// coordination server.  A value of nil means unknown, or the// current node doesn't have permission to know.Online *bool `json:",omitempty"`MachineAuthorizedbool `json:",omitempty"`// TODO(crawshaw): replace with MachineStatus// Capabilities are capabilities that the node has.// They're free-form strings, but should be in the form of URLs/URIs// such as://    "https://tailscale.com/cap/is-admin"//    "https://tailscale.com/cap/file-sharing"//// Deprecated: use CapMap instead. Seehttps://github.com/tailscale/tailscale/issues/11508Capabilities []NodeCapability `json:",omitempty"`// CapMap is a map of capabilities to their optional argument/data values.//// It is valid for a capability to not have any argument/data values; such// capabilities can be tested for using the HasCap method. These type of// capabilities are used to indicate that a node has a capability, but there// is no additional data associated with it. These were previously// represented by the Capabilities field, but can now be represented by// CapMap with an empty value.//// See NodeCapability for more information on keys.//// Metadata about nodes can be transmitted in 3 ways:// 1. MapResponse.Node.CapMap describes attributes that affect behavior for//    this node, such as which features have been enabled through the admin//    panel and any associated configuration details.// 2. MapResponse.PacketFilter(s) describes access (both IP and application//    based) that should be granted to peers.// 3. MapResponse.Peers[].CapMap describes attributes regarding a peer node,//    such as which features the peer supports or if that peer is preferred//    for a particular task vs other peers that could also be chosen.CapMapNodeCapMap `json:",omitempty"`// UnsignedPeerAPIOnly means that this node is not signed nor subject to TKA// restrictions. However, in exchange for that privilege, it does not get// network access. It can only access this node's peerapi, which may not let// it do anything. It is the tailscaled client's job to double-check the// MapResponse's PacketFilter to verify that its AllowedIPs will not be// accepted by the packet filter.UnsignedPeerAPIOnlybool `json:",omitzero"`ComputedNamestring `json:",omitzero"`// MagicDNS base name (for normal non-shared-in nodes), FQDN (without trailing dot, for shared-in nodes), or Hostname (if no MagicDNS)ComputedNameWithHoststring `json:",omitzero"`// either "ComputedName" or "ComputedName (computedHostIfDifferent)", if computedHostIfDifferent is set// DataPlaneAuditLogID is the per-node logtail ID used for data plane audit logging.DataPlaneAuditLogIDstring `json:",omitzero"`// Expired is whether this node's key has expired. Control may send// this; clients are only allowed to set this from false to true. On// the client, this is calculated client-side based on a timestamp sent// from control, to avoid clock skew issues.Expiredbool `json:",omitzero"`// SelfNodeV4MasqAddrForThisPeer is the IPv4 that this peer knows the current node as.// It may be empty if the peer knows the current node by its native// IPv4 address.// This field is only populated in a MapResponse for peers and not// for the current node.//// If set, it should be used to masquerade traffic originating from the// current node to this peer. The masquerade address is only relevant// for this peer and not for other peers.//// This only applies to traffic originating from the current node to the// peer or any of its subnets. Traffic originating from subnet routes will// not be masqueraded (e.g. in case of --snat-subnet-routes).SelfNodeV4MasqAddrForThisPeer *netip.Addr `json:",omitzero"`// TODO: de-pointer: tailscale/tailscale#17978// SelfNodeV6MasqAddrForThisPeer is the IPv6 that this peer knows the current node as.// It may be empty if the peer knows the current node by its native// IPv6 address.// This field is only populated in a MapResponse for peers and not// for the current node.//// If set, it should be used to masquerade traffic originating from the// current node to this peer. The masquerade address is only relevant// for this peer and not for other peers.//// This only applies to traffic originating from the current node to the// peer or any of its subnets. Traffic originating from subnet routes will// not be masqueraded (e.g. in case of --snat-subnet-routes).SelfNodeV6MasqAddrForThisPeer *netip.Addr `json:",omitzero"`// TODO: de-pointer: tailscale/tailscale#17978// IsWireGuardOnly indicates that this is a non-Tailscale WireGuard peer, it// is not expected to speak Disco or DERP, and it must have Endpoints in// order to be reachable.IsWireGuardOnlybool `json:",omitzero"`// IsJailed indicates that this node is jailed and should not be allowed// initiate connections, however outbound connections to it should still be// allowed.IsJailedbool `json:",omitzero"`// ExitNodeDNSResolvers is the list of DNS servers that should be used when this// node is marked IsWireGuardOnly and being used as an exit node.ExitNodeDNSResolvers []*dnstype.Resolver `json:",omitempty"`// contains filtered or unexported fields}

func (*Node)Clone¶

func (src *Node) Clone() *Node

Clone makes a deep copy of Node.The result aliases no memory with the original.

func (*Node)DisplayName¶added inv1.4.0

func (n *Node) DisplayName(forOwnerbool)string

DisplayName returns the user-facing name for a node which shouldbe shown in client UIs.

Parameter forOwner specifies whether the name is requested bythe owner of the node. When forOwner is false, the hostname isnever included in the return value.

Return value is either "Name" or "Name (Hostname)", whereName is the node's MagicDNS base name (for normal non-shared-innodes), FQDN (without trailing dot, for shared-in nodes), orHostname (if no MagicDNS). Hostname is only included in thereturn value if it varies from Name and forOwner is provided true.

DisplayName is only valid if InitDisplayNames has been called.

func (*Node)DisplayNames¶added inv1.4.0

func (n *Node) DisplayNames(forOwnerbool) (name, hostIfDifferentstring)

DisplayName returns the decomposed user-facing name for a node.

Parameter forOwner specifies whether the name is requested bythe owner of the node. When forOwner is false, hostIfDifferentis always returned empty.

Return value name is the node's primary name, populated with thenode's MagicDNS base name (for normal non-shared-in nodes), FQDN(without trailing dot, for shared-in nodes), or Hostname (if noMagicDNS).

Return value hostIfDifferent, when non-empty, is the node'shostname. hostIfDifferent is only populated when the hostnamevaries from name and forOwner is provided as true.

DisplayNames is only valid if InitDisplayNames has been called.

func (*Node)Equal¶

func (n *Node) Equal(n2 *Node)bool

Equal reports whether n and n2 are equal.

func (*Node)HasCap¶added inv1.50.0

func (v *Node) HasCap(capNodeCapability)bool

HasCap reports whether the node has the given capability.It is safe to call on a nil Node.

func (*Node)InitDisplayNames¶added inv1.4.0

func (n *Node) InitDisplayNames(networkMagicDNSSuffixstring)

InitDisplayNames computes and populates n's display namefields: n.ComputedName, n.computedHostIfDifferent, andn.ComputedNameWithHost.

func (*Node)IsTagged¶added inv1.38.0

func (n *Node) IsTagged()bool

IsTagged reports whether the node has any tags.

func (*Node)SharerOrUser¶added inv1.50.0

func (n *Node) SharerOrUser()UserID

SharerOrUser Sharer if set, else User.

func (*Node)View¶added inv1.26.0

func (p *Node) View()NodeView

View returns a read-only view of Node.

type NodeCapMap map[NodeCapability][]RawMessage

func (NodeCapMap)Contains¶added inv1.50.0

func (cNodeCapMap) Contains(capNodeCapability)bool

Contains reports whether c has the capability cap. This is used to test forthe existence of a capability, especially when the capability has noassociated argument/data values.

func (NodeCapMap)Equal¶added inv1.50.0

func (cNodeCapMap) Equal(c2NodeCapMap)bool

Equal reports whether c and c2 are equal.

type NodeCapabilitystring

type NodeIDID

func (NodeID)IsZero¶added inv1.2.0

func (uNodeID) IsZero()bool

func (NodeID)String¶

func (idNodeID) String()string

type NodeView struct {// contains filtered or unexported fields}

func (NodeView)Addresses¶added inv1.26.0

func (vNodeView) Addresses()views.Slice[netip.Prefix]

Addresses are the IP addresses of this Node directly.

func (NodeView)AllowedIPs¶added inv1.26.0

func (vNodeView) AllowedIPs()views.Slice[netip.Prefix]

AllowedIPs are the IP ranges to route to this node.

As of CapabilityVersion 112, this may be nil (null or undefined) on the wireto mean the same as Addresses. Internally, it is always filled in withits possibly-implicit value.

func (NodeView)AsStruct¶added inv1.26.0

func (vNodeView) AsStruct() *Node

AsStruct returns a clone of the underlying value which aliases no memory withthe original.

func (NodeView)Cap¶added inv1.36.0

func (vNodeView) Cap()CapabilityVersion

if non-zero, the node's capability version; old servers might not send

func (NodeView)CapMap¶added inv1.50.0

func (vNodeView) CapMap()views.MapSlice[NodeCapability,RawMessage]

CapMap is a map of capabilities to their optional argument/data values.

It is valid for a capability to not have any argument/data values; suchcapabilities can be tested for using the HasCap method. These type ofcapabilities are used to indicate that a node has a capability, but thereis no additional data associated with it. These were previouslyrepresented by the Capabilities field, but can now be represented byCapMap with an empty value.

See NodeCapability for more information on keys.

Metadata about nodes can be transmitted in 3 ways:

1. MapResponse.Node.CapMap describes attributes that affect behavior forthis node, such as which features have been enabled through the adminpanel and any associated configuration details.
2. MapResponse.PacketFilter(s) describes access (both IP and applicationbased) that should be granted to peers.
3. MapResponse.Peers[].CapMap describes attributes regarding a peer node,such as which features the peer supports or if that peer is preferredfor a particular task vs other peers that could also be chosen.

func (NodeView)ComputedName¶added inv1.26.0

func (vNodeView) ComputedName()string

MagicDNS base name (for normal non-shared-in nodes), FQDN (without trailing dot, for shared-in nodes), or Hostname (if no MagicDNS)

func (NodeView)ComputedNameWithHost¶added inv1.26.0

func (vNodeView) ComputedNameWithHost()string

either "ComputedName" or "ComputedName (computedHostIfDifferent)", if computedHostIfDifferent is set

func (NodeView)Created¶added inv1.26.0

func (vNodeView) Created()time.Time

func (NodeView)DataPlaneAuditLogID¶added inv1.32.0

func (vNodeView) DataPlaneAuditLogID()string

DataPlaneAuditLogID is the per-node logtail ID used for data plane audit logging.

func (NodeView)DiscoKey¶added inv1.26.0

func (vNodeView) DiscoKey()key.DiscoPublic

func (NodeView)DisplayName¶added inv1.50.0

func (nNodeView) DisplayName(forOwnerbool)string

DisplayName wraps Node.DisplayName.

func (NodeView)Endpoints¶added inv1.26.0

func (vNodeView) Endpoints()views.Slice[netip.AddrPort]

IP+port (public via STUN, and local LANs)

func (NodeView)Equal¶added inv1.26.0

func (vNodeView) Equal(v2NodeView)bool

func (NodeView)ExitNodeDNSResolvers¶added inv1.50.0

func (vNodeView) ExitNodeDNSResolvers()views.SliceView[*dnstype.Resolver,dnstype.ResolverView]

ExitNodeDNSResolvers is the list of DNS servers that should be used when thisnode is marked IsWireGuardOnly and being used as an exit node.

func (NodeView)Expired¶added inv1.36.0

func (vNodeView) Expired()bool

Expired is whether this node's key has expired. Control may sendthis; clients are only allowed to set this from false to true. Onthe client, this is calculated client-side based on a timestamp sentfrom control, to avoid clock skew issues.

func (NodeView)HasCap¶added inv1.50.0

func (vNodeView) HasCap(capNodeCapability)bool

HasCap reports whether the node has the given capability.It is safe to call on an invalid NodeView.

func (NodeView)HomeDERP¶added inv1.80.0

func (vNodeView) HomeDERP()int

HomeDERP is the modern version of the DERP string field, with just aninteger. The client advertises support for this as of capver 111.

HomeDERP may be zero if not (yet) known, but ideally always be non-zerofor magicsock connectivity to function normally.

func (NodeView)Hostinfo¶added inv1.26.0

func (vNodeView) Hostinfo()HostinfoView

func (NodeView)ID¶added inv1.26.0

func (vNodeView) ID()NodeID

func (NodeView)IsJailed¶added inv1.66.0

func (vNodeView) IsJailed()bool

IsJailed indicates that this node is jailed and should not be allowedinitiate connections, however outbound connections to it should still beallowed.

func (NodeView)IsTagged¶added inv1.50.0

func (nNodeView) IsTagged()bool

IsTagged reports whether the node has any tags.

func (NodeView)IsWireGuardOnly¶added inv1.40.0

func (vNodeView) IsWireGuardOnly()bool

IsWireGuardOnly indicates that this is a non-Tailscale WireGuard peer, itis not expected to speak Disco or DERP, and it must have Endpoints inorder to be reachable.

func (NodeView)Key¶added inv1.26.0

func (vNodeView) Key()key.NodePublic

func (NodeView)KeyExpiry¶added inv1.26.0

func (vNodeView) KeyExpiry()time.Time

the zero value if this node does not expire

func (NodeView)KeySignature¶added inv1.30.0

func (vNodeView) KeySignature()views.ByteSlice[tkatype.MarshaledSignature]

func (NodeView)LastSeen¶added inv1.26.0

func (vNodeView) LastSeen()views.ValuePointer[time.Time]

LastSeen is when the node was last online. It is notupdated when Online is true. It is nil if the currentnode doesn't have permission to know, or the nodehas never been online.

func (NodeView)Machine¶added inv1.26.0

func (vNodeView) Machine()key.MachinePublic

func (NodeView)MachineAuthorized¶added inv1.26.0

func (vNodeView) MachineAuthorized()bool

TODO(crawshaw): replace with MachineStatus

func (NodeView)MarshalJSON¶added inv1.26.0

func (vNodeView) MarshalJSON() ([]byte,error)

MarshalJSON implementsjsonv1.Marshaler.

func (NodeView)MarshalJSONTo¶added inv1.88.0

func (vNodeView) MarshalJSONTo(enc *jsontext.Encoder)error

MarshalJSONTo implementsjsonv2.MarshalerTo.

func (NodeView)Name¶added inv1.26.0

func (vNodeView) Name()string

Name is the FQDN of the node.It is also the MagicDNS name for the node.It has a trailing dot.e.g. "host.tail-scale.ts.net."

func (NodeView)Online¶added inv1.26.0

func (vNodeView) Online()views.ValuePointer[bool]

Online is whether the node is currently connected to thecoordination server. A value of nil means unknown, or thecurrent node doesn't have permission to know.

func (NodeView)PrimaryRoutes¶added inv1.26.0

func (vNodeView) PrimaryRoutes()views.Slice[netip.Prefix]

PrimaryRoutes are the routes from AllowedIPs that this nodeis currently the primary subnet router for, as determinedby the control plane. It does not include the self addressvalues from Addresses that are in AllowedIPs.

func (NodeView)SelfNodeV4MasqAddrForThisPeer¶added inv1.40.0

func (vNodeView) SelfNodeV4MasqAddrForThisPeer()views.ValuePointer[netip.Addr]

SelfNodeV4MasqAddrForThisPeer is the IPv4 that this peer knows the current node as.It may be empty if the peer knows the current node by its nativeIPv4 address.This field is only populated in a MapResponse for peers and notfor the current node.

If set, it should be used to masquerade traffic originating from thecurrent node to this peer. The masquerade address is only relevantfor this peer and not for other peers.

This only applies to traffic originating from the current node to thepeer or any of its subnets. Traffic originating from subnet routes willnot be masqueraded (e.g. in case of --snat-subnet-routes).

func (NodeView)SelfNodeV6MasqAddrForThisPeer¶added inv1.50.0

func (vNodeView) SelfNodeV6MasqAddrForThisPeer()views.ValuePointer[netip.Addr]

SelfNodeV6MasqAddrForThisPeer is the IPv6 that this peer knows the current node as.It may be empty if the peer knows the current node by its nativeIPv6 address.This field is only populated in a MapResponse for peers and notfor the current node.

If set, it should be used to masquerade traffic originating from thecurrent node to this peer. The masquerade address is only relevantfor this peer and not for other peers.

This only applies to traffic originating from the current node to thepeer or any of its subnets. Traffic originating from subnet routes willnot be masqueraded (e.g. in case of --snat-subnet-routes).

func (NodeView)Sharer¶added inv1.26.0

func (vNodeView) Sharer()UserID

Sharer, if non-zero, is the user who shared this node, if different than User.

func (NodeView)SharerOrUser¶added inv1.50.0

func (nNodeView) SharerOrUser()UserID

SharerOrUser wraps Node.SharerOrUser.

func (NodeView)StableID¶added inv1.26.0

func (vNodeView) StableID()StableNodeID

func (NodeView)Tags¶added inv1.26.0

func (vNodeView) Tags()views.Slice[string]

Tags are the list of ACL tags applied to this node.Tags take the form of `tag:<value>` where value startswith a letter and only contains alphanumerics and dashes `-`.Some valid tag examples:

`tag:prod``tag:database``tag:lab-1`

func (*NodeView)UnmarshalJSON¶added inv1.26.0

func (v *NodeView) UnmarshalJSON(b []byte)error

UnmarshalJSON implementsjsonv1.Unmarshaler.

func (*NodeView)UnmarshalJSONFrom¶added inv1.88.0

func (v *NodeView) UnmarshalJSONFrom(dec *jsontext.Decoder)error

UnmarshalJSONFrom implementsjsonv2.UnmarshalerFrom.

func (NodeView)UnsignedPeerAPIOnly¶added inv1.34.0

func (vNodeView) UnsignedPeerAPIOnly()bool

UnsignedPeerAPIOnly means that this node is not signed nor subject to TKArestrictions. However, in exchange for that privilege, it does not getnetwork access. It can only access this node's peerapi, which may not letit do anything. It is the tailscaled client's job to double-check theMapResponse's PacketFilter to verify that its AllowedIPs will not beaccepted by the packet filter.

func (NodeView)User¶added inv1.26.0

func (vNodeView) User()UserID

User is the user who created the node. If ACL tags are in use for thenode then it doesn't reflect the ACL identity that the node is runningas.

func (NodeView)Valid¶added inv1.26.0

func (vNodeView) Valid()bool

Valid reports whether v's underlying value is non-nil.

type Oauth2Token struct {// AccessToken is the token that authorizes and authenticates// the requests.AccessTokenstring `json:"access_token"`// TokenType is the type of token.// The Type method returns either this or "Bearer", the default.TokenTypestring `json:"token_type,omitempty"`// RefreshToken is a token that's used by the application// (as opposed to the user) to refresh the access token// if it expires.RefreshTokenstring `json:"refresh_token,omitempty"`// Expiry is the optional expiration time of the access token.//// If zero, TokenSource implementations will reuse the same// token forever and RefreshToken or equivalent// mechanisms for that TokenSource will not be used.Expirytime.Time `json:"expiry,omitempty"`}

type OverTLSPublicKeyResponse struct {// LegacyPublic specifies the control plane server's original// NaCl crypto_box machine key.// It will be zero for sufficiently new clients, based on their// advertised "v" parameter (the CurrentMapRequestVersion).// In that case, only the newer Noise-based transport may be used// using the PublicKey field.LegacyPublicKeykey.MachinePublic `json:"legacyPublicKey"`// PublicKey specifies the server's public key for the// Noise-based control plane protocol. (see packages// control/controlbase and control/controlhttp)PublicKeykey.MachinePublic `json:"publicKey"`}

type PeerCapMap map[PeerCapability][]RawMessage

func (PeerCapMap)HasCapability¶added inv1.48.0

func (cPeerCapMap) HasCapability(capPeerCapability)bool

HasCapability reports whether c has the capability cap. This is used to testfor the existence of a capability, especially when the capability has noassociated argument/data values.

type PeerCapabilitystring

type PeerChange struct {// NodeID is the node ID being mutated. If the NodeID is not// known in the current netmap, this update should be// ignored. (But the server will try not to send such useless// updates.)NodeIDNodeID// DERPRegion, if non-zero, means that NodeID's home DERP// region ID is now this number.DERPRegionint `json:",omitzero"`// Cap, if non-zero, means that NodeID's capability version has changed.CapCapabilityVersion `json:",omitzero"`// CapMap, if non-nil, means that NodeID's capability map has changed.CapMapNodeCapMap `json:",omitempty"`// Endpoints, if non-empty, means that NodeID's UDP Endpoints// have changed to these.Endpoints []netip.AddrPort `json:",omitempty"`// Key, if non-nil, means that the NodeID's wireguard public key changed.Key *key.NodePublic `json:",omitzero"`// TODO: de-pointer: tailscale/tailscale#17978// KeySignature, if non-nil, means that the signature of the wireguard// public key has changed.KeySignaturetkatype.MarshaledSignature `json:",omitempty"`// DiscoKey, if non-nil, means that the NodeID's discokey changed.DiscoKey *key.DiscoPublic `json:",omitzero"`// TODO: de-pointer: tailscale/tailscale#17978// Online, if non-nil, means that the NodeID's online status changed.Online *bool `json:",omitzero"`// LastSeen, if non-nil, means that the NodeID's online status changed.LastSeen *time.Time `json:",omitzero"`// TODO: de-pointer: tailscale/tailscale#17978// KeyExpiry, if non-nil, changes the NodeID's key expiry.KeyExpiry *time.Time `json:",omitzero"`// TODO: de-pointer: tailscale/tailscale#17978}