TUN-9322: Add metric for unsupported RPC commands for datagram v3

Additionally adds support for the connection index as a label for the datagram v3 specific tunnel metrics. Closes TUN-9322
TUN-9291: Remove dynamic reloading of features for datagram v3
2025-05-13 16:11:09 +00:00 · 2025-05-07 23:21:08 +00:00 · 2025-04-30 14:15:20 +01:00 · 2025-04-30 13:10:45 +01:00 · 2025-04-30 12:01:43 +00:00 · 2025-04-30 11:09:14 +01:00
3106 changed files with 327191 additions and 223777 deletions
--- a/.docker-images
+++ b/.docker-images
@ -1,10 +1,12 @@
 images:
  - name: cloudflared
-    dockerfile: Dockerfile
+    dockerfile: Dockerfile.$ARCH
    context: .
-    versions: 
+    version_file: versions
      - latest
    registries:
    - name: docker.io/cloudflare
      user: env:DOCKER_USER
      password: env:DOCKER_PASSWORD
    architectures:
    - amd64
    - arm64
--- a/.github/ISSUE_TEMPLATE/---bug-report.md
+++ b/.github/ISSUE_TEMPLATE/---bug-report.md
@ -3,7 +3,6 @@ name: "\U0001F41B Bug report"
 about: Create a report to help us improve cloudflared
 title: "\U0001F41B"
 labels: 'Priority: Normal, Type: Bug'
 assignees: abelinkinbio
 ---
@ -16,6 +15,10 @@ Steps to reproduce the behavior:
 2. Run '....'
 3. See error
 If it's an issue with Cloudflare Tunnel:
 4. Tunnel ID : 
 5. cloudflared config: 
 **Expected behavior**
 A clear and concise description of what you expected to happen.
--- a/.github/ISSUE_TEMPLATE/---documentation.md
+++ b/.github/ISSUE_TEMPLATE/---documentation.md
@ -3,7 +3,6 @@ name: "\U0001F4DD Documentation"
 about: Request new or updated documentation for cloudflared
 title: "\U0001F4DD"
 labels: 'Priority: Normal, Type: Documentation'
 assignees: abelinkinbio, ranbel
 ---
--- a/.github/ISSUE_TEMPLATE/---feature-request.md
+++ b/.github/ISSUE_TEMPLATE/---feature-request.md
@ -3,7 +3,6 @@ name: "\U0001F4A1 Feature request"
 about: Suggest a feature or enhancement for cloudflared
 title: "\U0001F4A1"
 labels: 'Priority: Normal, Type: Feature Request'
 assignees: abelinkinbio, sssilver
 ---
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@ -4,15 +4,15 @@ jobs:
  check:
    strategy:
      matrix:
-        go-version: [1.17.x]
+        go-version: [1.22.x]
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    steps:
    - name: Install Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
      with:
        go-version: ${{ matrix.go-version }}
    - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
    - name: Test
      run: make test
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -0,0 +1,24 @@
 on:
  pull_request: {}
  workflow_dispatch: {}
  push: 
    branches:
      - main
      - master
  schedule:
    - cron: '0 0 * * *'
 name: Semgrep config
 jobs:
  semgrep:
    name: semgrep/ci
    runs-on: ubuntu-latest
    env:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
      SEMGREP_URL: https://cloudflare.semgrep.dev
      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
    container:
      image: semgrep/semgrep
    steps:
      - uses: actions/checkout@v4
      - run: semgrep ci
--- a/.gitignore
+++ b/.gitignore
@ -17,3 +17,4 @@ cscope.*
 ssh_server_tests/.env
 /.cover
 built_artifacts/
 component-tests/.venv
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,131 @@
 stages: [build, release]
 default:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.cfdata.org
 # This before_script is injected into every job that runs on master meaning that if there is no tag the step
 # will succeed but only write "No tag present - Skipping" to the console.
 .check_tag:
  before_script:
    - |
      # Check if there is a Git tag pointing to HEAD
      echo "Tag found: $(git tag --points-at HEAD | grep .)"
      if git tag --points-at HEAD | grep .; then
        echo "Tag found: $(git tag --points-at HEAD | grep .)"
        export "VERSION=$(git tag --points-at HEAD | grep .)"
      else
        echo "No tag present — skipping."
        exit 0
      fi
 ## A set of predefined rules to use on the different jobs
 .default_rules:
  # Rules to run the job only on the master branch
  run_on_master:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: always
    - when: never
  # Rules to run the job only on branches that are not master. This is needed because for now
  # we need to keep a similar behavior due to the integration with teamcity, which requires us
  # to not trigger pipelines on tags and/or merge requests.
  run_on_branch:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      when: always
    - when: never
 # -----------------------------------------------
 # Stage 1: Build on every PR
 # -----------------------------------------------
 build_cloudflared_macos: &build
  stage: build
  rules:
    - !reference [.default_rules, run_on_branch]
  tags:
    - "macstadium-${RUNNER_ARCH}"
  parallel:
    matrix:
      - RUNNER_ARCH: [arm, intel]
  artifacts:
    paths:
      - artifacts/*
  script:
    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
    - ARCH=$(uname -m)
    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
    - ./.teamcity/mac/install-cloudflare-go.sh
    - export PATH="/tmp/go/bin:$PATH"
    - BUILD_SCRIPT=.teamcity/mac/build.sh
    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
    - set -euo pipefail
    - echo "Executing ${BUILD_SCRIPT}"
    - exec ${BUILD_SCRIPT}
 # -----------------------------------------------
 # Stage 1: Build and sign only on releases
 # -----------------------------------------------
 build_and_sign_cloudflared_macos:
  <<: *build
  rules:
    - !reference [.default_rules, run_on_master]
  secrets:
    APPLE_DEV_CA_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
      file: false
    CFD_CODE_SIGN_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
      file: false
    CFD_INSTALLER_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
      file: false
    CFD_INSTALLER_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
      file: false
    CFD_INSTALLER_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
      file: false
 # -----------------------------------------------
 # Stage 2: Release to Github after building and signing
 # -----------------------------------------------
 release_cloudflared_macos_to_github:
  stage: release
  image: docker-registry.cfdata.org/stash/tun/docker-images/cloudflared-ci/main:6-8616fe631b76-amd64@sha256:96f4fd05e66cec03e0864c1bcf09324c130d4728eef45ee994716da499183614
  extends: .check_tag
  dependencies:
    - build_and_sign_cloudflared_macos
  rules:
    - !reference [.default_rules, run_on_master]
  cache:
    paths:
      - .cache/pip
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
    KV_ACCOUNT: 5ab4e9dfbd435d24068829fda0077963
  secrets:
    KV_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
      file: false
    API_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
      file: false
  script:
    - python3 --version ; pip --version  # For debugging
    - python3 -m venv venv
    - source venv/bin/activate
    - pip install pynacl==1.4.0 pygithub==1.55
    - echo $VERSION
    - echo $TAG_EXISTS
    - echo "Running release because tag exists."
    - make macos-release
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -0,0 +1,89 @@
 linters:
  enable:
    # Some of the linters below are commented out. We should uncomment and start running them, but they return
    # too many problems to fix in one commit. Something for later.
    - asasalint        # Check for pass []any as any in variadic func(...any).
    - asciicheck       # Checks that all code identifiers does not have non-ASCII symbols in the name.
    - bidichk          # Checks for dangerous unicode character sequences.
    - bodyclose        # Checks whether HTTP response body is closed successfully.
    - decorder         # Check declaration order and count of types, constants, variables and functions.
    - dogsled          # Checks assignments with too many blank identifiers (e.g. x, , , _, := f()).
    - dupl             # Tool for code clone detection.
    - dupword          # Checks for duplicate words in the source code.
    - durationcheck    # Check for two durations multiplied together.
    - errcheck         # Errcheck is a program for checking for unchecked errors in Go code. These unchecked errors can be critical bugs in some cases.
    - errname          # Checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error.
    - exhaustive       # Check exhaustiveness of enum switch statements.
    - gofmt            # Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification.
    - goimports        # Check import statements are formatted according to the 'goimport' command. Reformat imports in autofix mode.
    - gosec            # Inspects source code for security problems.
    - gosimple         # Linter for Go source code that specializes in simplifying code.
    - govet            # Vet examines Go source code and reports suspicious constructs. It is roughly the same as 'go vet' and uses its passes.
    - ineffassign      # Detects when assignments to existing variables are not used.
    - importas         # Enforces consistent import aliases.
    - misspell         # Finds commonly misspelled English words.
    - prealloc         # Finds slice declarations that could potentially be pre-allocated.
    - promlinter       # Check Prometheus metrics naming via promlint.
    - sloglint         # Ensure consistent code style when using log/slog.
    - sqlclosecheck    # Checks that sql.Rows, sql.Stmt, sqlx.NamedStmt, pgx.Query are closed.
    - staticcheck      # It's a set of rules from staticcheck. It's not the same thing as the staticcheck binary.
    - tenv             # Tenv is analyzer that detects using os.Setenv instead of t.Setenv since Go1.17.
    - testableexamples # Linter checks if examples are testable (have an expected output).
    - testifylint      # Checks usage of github.com/stretchr/testify.
    - tparallel        # Tparallel detects inappropriate usage of t.Parallel() method in your Go test codes.
    - unconvert        # Remove unnecessary type conversions.
    - unused           # Checks Go code for unused constants, variables, functions and types.
    - wastedassign     # Finds wasted assignment statements.
    - whitespace       # Whitespace is a linter that checks for unnecessary newlines at the start and end of functions, if, for, etc.
    - zerologlint      # Detects the wrong usage of zerolog that a user forgets to dispatch with Send or Msg.
  # Other linters are disabled, list of all is here: https://golangci-lint.run/usage/linters/
 run:
  timeout: 5m
  modules-download-mode: vendor
 # output configuration options
 output:
  formats:
    - format: 'colored-line-number'
  print-issued-lines: true
  print-linter-name: true
 issues:
  # Maximum issues count per one linter.
  # Set to 0 to disable.
  # Default: 50
  max-issues-per-linter: 50
  # Maximum count of issues with the same text.
  # Set to 0 to disable.
  # Default: 3
  max-same-issues: 15
  # Show only new issues: if there are unstaged changes or untracked files,
  # only those changes are analyzed, else only changes in HEAD~ are analyzed.
  # It's a super-useful option for integration of golangci-lint into existing large codebase.
  # It's not practical to fix all existing issues at the moment of integration:
  # much better don't allow issues in new code.
  #
  # Default: false
  new: true
  # Show only new issues created after git revision `REV`.
  # Default: ""
  new-from-rev: ac34f94d423273c8fa8fdbb5f2ac60e55f2c77d5
  # Show issues in any part of update files (requires new-from-rev or new-from-patch).
  # Default: false
  whole-files: true
  # Which dirs to exclude: issues from them won't be reported.
  # Can use regexp here: `generated.*`, regexp is applied on full path,
  # including the path prefix if one is set.
  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
  # "/" will be replaced by current OS file path separator to properly work on Windows.
  # Default: []
  exclude-dirs:
    - vendor
 linters-settings:
  # Check exhaustiveness of enum switch statements.
  exhaustive:
    # Presence of "default" case in switch statements satisfies exhaustiveness,
    # even if all enum members are not listed.
    # Default: false
    default-signifies-exhaustive: true
--- a/.teamcity/build-macos.sh
+++ b/.teamcity/build-macos.sh
@ -1,187 +0,0 @@
 #!/bin/bash
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-amd64.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-amd64.pkg"
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # Add code signing private key to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
  if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
    # write private key to disk and then import it keychain
    echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
    out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1)
    exitcode=$?
    if [ -n "$out" ]; then
      if [ $exitcode -eq 0 ]; then
          echo "$out"
      else
          if [ "$out" != "${SEC_DUP_MSG}" ]; then
              echo "$out" >&2
              exit $exitcode
          fi
      fi
    fi
    rm ${CODE_SIGN_PRIV}
  fi
 fi
 # Add code signing certificate to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
  out1=$(security import ${CODE_SIGN_CERT} -A 2>&1)
  exitcode1=$?
  if [ -n "$out1" ]; then
    if [ $exitcode1 -eq 0 ]; then
        echo "$out1"
    else
        if [ "$out1" != "${SEC_DUP_MSG}" ]; then
            echo "$out1" >&2
            exit $exitcode1
        else 
            echo "already imported code signing certificate"
        fi
    fi
  fi
  rm ${CODE_SIGN_CERT}
 fi
 # Add package signing private key to the key chain
 if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
  if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
    # write private key to disk and then import it into the keychain
    echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
    out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1)
    exitcode2=$?
    if [ -n "$out2" ]; then
      if [ $exitcode2 -eq 0 ]; then
          echo "$out2"
      else
          if [ "$out2" != "${SEC_DUP_MSG}" ]; then
              echo "$out2" >&2
              exit $exitcode2
          fi
      fi
    fi
    rm ${INSTALLER_PRIV}
  fi
 fi
 # Add package signing certificate to the key chain
 if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
  out3=$(security import ${INSTALLER_CERT} -A 2>&1)
  exitcode3=$?
  if [ -n "$out3" ]; then
    if [ $exitcode3 -eq 0 ]; then
        echo "$out3"
    else
        if [ "$out3" != "${SEC_DUP_MSG}" ]; then
            echo "$out3" >&2
            exit $exitcode3
        else 
            echo "already imported installer certificate"
        fi
    fi
  fi
  rm ${INSTALLER_CERT}
 fi
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
  # notarize the binary
  if [[ ! -z "$CFD_NOTE_PASSWORD" ]]; then
    zip "${BINARY_NAME}.zip" ${BINARY_NAME} 
    xcrun altool --notarize-app -f "${BINARY_NAME}.zip" -t osx -u ${CFD_NOTE_USERNAME} -p ${CFD_NOTE_PASSWORD} --primary-bundle-id ${BUNDLE_ID}
  fi
 fi
 # creating build directory
 rm -rf $TARGET_DIRECTORY
 mkdir "${TARGET_DIRECTORY}"
 mkdir "${TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${TARGET_DIRECTORY}/scripts \
      --root ${TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      if [[ ! -z "$CFD_NOTE_PASSWORD" ]]; then
        xcrun altool --notarize-app -f ${PKGNAME} -t osx -u ${CFD_NOTE_USERNAME} -p ${CFD_NOTE_PASSWORD} --primary-bundle-id ${BUNDLE_ID}
        xcrun stapler staple ${PKGNAME}
      fi
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${TARGET_DIRECTORY}/scripts \
      --root ${TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleaning up the build directory
 rm -rf $TARGET_DIRECTORY
--- a/.teamcity/install-cloudflare-go.sh
+++ b/.teamcity/install-cloudflare-go.sh
@ -0,0 +1,8 @@
 # !/usr/bin/env bash
 cd /tmp
 git clone -q https://github.com/cloudflare/go
 cd go/src
 # https://github.com/cloudflare/go/tree/af19da5605ca11f85776ef7af3384a02a315a52b is version go1.22.5-devel-cf
 git checkout -q af19da5605ca11f85776ef7af3384a02a315a52b
 ./make.bash
--- a/.teamcity/mac/build.sh
+++ b/.teamcity/mac/build.sh
@ -0,0 +1,228 @@
 #!/bin/bash
 set -exo pipefail
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
 then
  echo "TARGET_ARCH must be amd64 or arm64"
  exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 APPLE_CA_CERT="apple_dev_ca.cert"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 # Imports certificates to the Apple KeyChain
 import_certificate() {
    local CERTIFICATE_NAME=$1
    local CERTIFICATE_ENV_VAR=$2
    local CERTIFICATE_FILE_NAME=$3
    echo "Importing $CERTIFICATE_NAME"
    if [[ ! -z "$CERTIFICATE_ENV_VAR" ]]; then
      # write certificate to disk and then import it keychain
      echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}
      # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
      # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
      local out=$(security import ${CERTIFICATE_FILE_NAME} -T /usr/bin/pkgbuild -A 2>&1) || true
      local exitcode=$?
      # delete the certificate from disk
      rm -rf ${CERTIFICATE_FILE_NAME}
      if [ -n "$out" ]; then
        if [ $exitcode -eq 0 ]; then
            echo "$out"
        else
            if [ "$out" != "${SEC_DUP_MSG}" ]; then
                echo "$out" >&2
                exit $exitcode
            else
                echo "already imported code signing certificate"
            fi
        fi
      fi
    fi
 }
 create_cloudflared_build_keychain() {
  # Reusing the private key password as the keychain key
  local PRIVATE_KEY_PASS=$1
  # Create keychain only if it doesn't already exist
  if [ ! -f "$HOME/Library/Keychains/cloudflared_build_keychain.keychain-db" ]; then
    security create-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
  else
    echo "Keychain already exists: cloudflared_build_keychain"
  fi
  # Append temp keychain to the user domain
  security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\"//g)
  # Remove relock timeout
  security set-keychain-settings cloudflared_build_keychain
  # Unlock keychain so it doesn't require password
  security unlock-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
 }
 # Imports private keys to the Apple KeyChain
 import_private_keys() {
    local PRIVATE_KEY_NAME=$1
    local PRIVATE_KEY_ENV_VAR=$2
    local PRIVATE_KEY_FILE_NAME=$3
    local PRIVATE_KEY_PASS=$4
    echo "Importing $PRIVATE_KEY_NAME"
    if [[ ! -z "$PRIVATE_KEY_ENV_VAR" ]]; then
      if [[ ! -z "$PRIVATE_KEY_PASS" ]]; then
        # write private key to disk and then import it keychain
        echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
        # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
        # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
        local exitcode=$?
        rm -rf ${PRIVATE_KEY_FILE_NAME}
        if [ -n "$out" ]; then
          if [ $exitcode -eq 0 ]; then
              echo "$out"
          else
              if [ "$out" != "${SEC_DUP_MSG}" ]; then
                  echo "$out" >&2
                  exit $exitcode
              fi
          fi
        fi
      fi
    fi
 }
 # Create temp keychain only for this build
 create_cloudflared_build_keychain "${CFD_CODE_SIGN_PASS}"
 # Add Apple Root Developer certificate to the key chain
 import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
 # Add code signing private key to the key chain
 import_private_keys "Developer ID Application" "${CFD_CODE_SIGN_KEY}" "${CODE_SIGN_PRIV}" "${CFD_CODE_SIGN_PASS}"
 # Add code signing certificate to the key chain
 import_certificate "Developer ID Application" "${CFD_CODE_SIGN_CERT}" "${CODE_SIGN_CERT}"
 # Add package signing private key to the key chain
 import_private_keys "Developer ID Installer" "${CFD_INSTALLER_KEY}" "${INSTALLER_PRIV}" "${CFD_INSTALLER_PASS}"
 # Add package signing certificate to the key chain
 import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER_CERT}"
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # cleanup the build directory because the previous execution might have failed without cleaning up.
 rm -rf "${TARGET_DIRECTORY}"
 export TARGET_OS="darwin"
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # This allows apple tools to use the certificates in the keychain without requiring password input.
 # This command always needs to run after the certificates have been loaded into the keychain
 if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
  security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" cloudflared_build_keychain
 fi
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
 # notarize the binary
 # TODO: TUN-5789
 fi
 ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
 # creating build directory
 rm -rf $ARCH_TARGET_DIRECTORY
 mkdir -p "${ARCH_TARGET_DIRECTORY}"
 mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --keychain cloudflared_build_keychain \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      # TODO: TUN-5789
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleanup build directory because this script is not ran within containers,
 # which might lead to future issues in subsequent runs.
 rm -rf "${TARGET_DIRECTORY}"
 # cleanup the keychain
 security default-keychain -d user -s login.keychain-db
 security list-keychains -d user -s login.keychain-db
 security delete-keychain cloudflared_build_keychain
--- a/.teamcity/mac/install-cloudflare-go.sh
+++ b/.teamcity/mac/install-cloudflare-go.sh
@ -0,0 +1,10 @@
 rm -rf /tmp/go
 export GOCACHE=/tmp/gocache
 rm -rf $GOCACHE
 ./.teamcity/install-cloudflare-go.sh
 export PATH="/tmp/go/bin:$PATH"
 go version
 which go
 go env
--- a/.teamcity/package-windows.sh
+++ b/.teamcity/package-windows.sh
@ -0,0 +1,19 @@
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
 export BUILT_ARTIFACT_DIR=built_artifacts/
 export FINAL_ARTIFACT_DIR=artifacts/
 mkdir -p $BUILT_ARTIFACT_DIR
 mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
    # Copy exe into final directory
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe 
 done
--- a/.teamcity/update-homebrew-core.sh
+++ b/.teamcity/update-homebrew-core.sh
@ -1,26 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 if ! VERSION="$(git describe --tags --exact-match 2>/dev/null)" ; then
    echo "Skipping public release for an untagged commit."
    echo "##teamcity[buildStatus status='SUCCESS' text='Skipped due to lack of tag']"
    exit 0
 fi
 if [[ "${HOMEBREW_GITHUB_API_TOKEN:-}" == "" ]] ; then
    echo "Missing GITHUB_API_TOKEN"
    exit 1
 fi
 # "install" Homebrew
 git clone https://github.com/Homebrew/brew tmp/homebrew
 eval "$(tmp/homebrew/bin/brew shellenv)"
 brew update --force --quiet
 chmod -R go-w "$(brew --prefix)/share/zsh"
 git config --global user.name "cloudflare-warp-bot"
 git config --global user.email "warp-bot@cloudflare.com"
 # bump formula pr
 brew bump-formula-pr cloudflared --version="$VERSION" --no-browse
--- a/.teamcity/update-homebrew.sh
+++ b/.teamcity/update-homebrew.sh
@ -1,67 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 FILENAME="${PWD}/artifacts/cloudflared-darwin-amd64.tgz"
 if ! VERSION="$(git describe --tags --exact-match 2>/dev/null)" ; then
    echo "Skipping public release for an untagged commit."
    echo "##teamcity[buildStatus status='SUCCESS' text='Skipped due to lack of tag']"
    exit 0
 fi
 if [[ ! -f "$FILENAME" ]] ; then
    echo "Missing $FILENAME"
    exit 1
 fi
 if [[ "${GITHUB_PRIVATE_KEY:-}" == "" ]] ; then
    echo "Missing GITHUB_PRIVATE_KEY"
    exit 1
 fi
 # upload to s3 bucket for use by Homebrew formula
 s3cmd \
    --acl-public --signature-v2 --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
    put "$FILENAME" "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz"
 s3cmd \
    --acl-public --signature-v2 --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
    cp "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz" "s3://cftunnel-docs/dl/cloudflared-stable-darwin-amd64.tgz"
 SHA256=$(sha256sum "$FILENAME" | cut -b1-64)
 # set up git (note that UserKnownHostsFile is an absolute path so we can cd wherever)
 mkdir -p tmp
 ssh-keyscan -t rsa github.com > tmp/github.txt
 echo "$GITHUB_PRIVATE_KEY" > tmp/private.key
 chmod 0400 tmp/private.key
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PWD/tmp/github.txt -i $PWD/tmp/private.key -o IdentitiesOnly=yes"
 # clone Homebrew repo into tmp/homebrew-cloudflare
 git clone git@github.com:cloudflare/homebrew-cloudflare.git tmp/homebrew-cloudflare    
 cd tmp/homebrew-cloudflare
 git checkout -f master
 git reset --hard origin/master
 # modify cloudflared.rb
 URL="https://packages.argotunnel.com/dl/cloudflared-$VERSION-darwin-amd64.tgz"
 tee cloudflared.rb <<EOF
 class Cloudflared < Formula
  desc 'Cloudflare Tunnel'
  homepage 'https://developers.cloudflare.com/cloudflare-one/connections/connect-apps'
  url '$URL'
  sha256 '$SHA256'
  version '$VERSION'
  def install
    bin.install 'cloudflared'
  end
 end
 EOF
 # push cloudflared.rb
 git add cloudflared.rb
 git diff
 git config user.name "cloudflare-warp-bot"
 git config user.email "warp-bot@cloudflare.com"
 git commit -m "Release Cloudflare Tunnel $VERSION"
 git push -v origin master
--- a/.teamcity/windows/builds.ps1
+++ b/.teamcity/windows/builds.ps1
@ -0,0 +1,28 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Relative path to working directory
 $CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
 cd $CloudflaredDirectory
 Write-Output "Building for amd64"
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 go env
 go version
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:CGO_ENABLED = 0
 $env:TARGET_ARCH = "386"
 make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 copy .\cloudflared.exe .\cloudflared-windows-386.exe
--- a/.teamcity/windows/component-test.ps1
+++ b/.teamcity/windows/component-test.ps1
@ -0,0 +1,47 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $WorkingDirectory = Get-Location
 $CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
 go env
 go version
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 python --version
 python -m pip --version
 cd $CloudflaredDirectory
 go env
 go version
 Write-Output "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 echo $LASTEXITCODE
 Write-Output "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 & go test -failfast -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 Write-Output "Running component tests"
 python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
 python component-tests/setup.py --type create
 python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
 if ($LASTEXITCODE -ne 0) {
    python component-tests/setup.py --type cleanup
    throw "Failed component tests"
 }
 python component-tests/setup.py --type cleanup
--- a/.teamcity/windows/install-cloudflare-go.ps1
+++ b/.teamcity/windows/install-cloudflare-go.ps1
@ -0,0 +1,16 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 Write-Output "Downloading cloudflare go..."
 Set-Location "$Env:Temp"
 git clone -q https://github.com/cloudflare/go
 Write-Output "Building go..."
 cd go/src
 # https://github.com/cloudflare/go/tree/af19da5605ca11f85776ef7af3384a02a315a52b is version go1.22.5-devel-cf
 git checkout -q af19da5605ca11f85776ef7af3384a02a315a52b
 & ./make.bat
 Write-Output "Installed"
--- a/.teamcity/windows/install-go-msi.ps1
+++ b/.teamcity/windows/install-go-msi.ps1
@ -0,0 +1,20 @@
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $GoMsiVersion = "go1.22.5.windows-amd64.msi"
 Write-Output "Downloading go installer..."
 Set-Location "$Env:Temp"
 (New-Object System.Net.WebClient).DownloadFile(
    "https://go.dev/dl/$GoMsiVersion",
    "$Env:Temp\$GoMsiVersion"
 )
 Write-Output "Installing go..."
 Install-Package "$Env:Temp\$GoMsiVersion" -Force
 # Go installer updates global $PATH
 go env
 Write-Output "Installed"
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,3 +1,74 @@
 ## 2025.1.1
 ### New Features
 - This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.
 ## 2024.12.2
 ### New Features
 - This release introduces the ability to collect troubleshooting information from one instance of cloudflared running on the local machine. The command can be executed as `cloudflared tunnel diag`.
 ## 2024.12.1
 ### Notices
 - The use of the `--metrics` is still honoured meaning that if this flag is set the metrics server will try to bind it, however, this version includes a change that makes the metrics server bind to a port with a semi-deterministic approach. If the metrics flag is not present the server will bind to the first available port of the range 20241 to 20245. In case of all ports being unavailable then the fallback is to bind to a random port.
 ## 2024.10.0
 ### Bug Fixes
 - We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received.
 ## 2024.2.1
 ### Notices
 - Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).
 ## 2023.9.0
 ### Notices
 - The `warp-routing` `enabled: boolean` flag is no longer supported in the configuration file. Warp Routing traffic (eg TCP, UDP, ICMP) traffic is proxied to cloudflared if routes to the target tunnel are configured. This change does not affect remotely managed tunnels, but for locally managed tunnels, users that might be relying on this feature flag to block traffic should instead guarantee that tunnel has no Private Routes configured for the tunnel.
 ## 2023.7.0
 ### New Features
 - You can now enable additional diagnostics over the management.argotunnel.com service for your active cloudflared connectors via a new runtime flag `--management-diagnostics` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`). This feature is provided as opt-in and requires the flag to enable. Endpoints such as /metrics provides your prometheus metrics endpoint another mechanism to be reached. Additionally /debug/pprof/(goroutine|heap) are also introduced to allow for remotely retrieving active pprof information from a running cloudflared connector.
 ## 2023.4.1
 ### New Features
 - You can now stream your logs from your remote cloudflared to your local terminal with `cloudflared tail <TUNNEL-ID>`. This new feature requires the remote cloudflared to be version 2023.4.1 or higher.
 ## 2023.3.2
 ### Notices
 - Due to the nature of QuickTunnels (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/trycloudflare/) and its intended usage for testing and experiment of Cloudflare Tunnels, starting from 2023.3.2, QuickTunnels only make a single connection to the edge. If users want to use Tunnels in a production environment, they should move to Named Tunnels instead. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/remote/#set-up-a-tunnel-remotely-dashboard-setup)
 ## 2023.3.1
 ### Breaking Change
 - Running a tunnel without ingress rules defined in configuration file nor from the CLI flags will no longer provide a default ingress rule to localhost:8080 and instead will return HTTP response code 503 for all incoming HTTP requests.
 ### Security Fixes
 - Windows 32 bit machines MSI now defaults to Program Files to install cloudflared. (See CVE-2023-1314). The cloudflared client itself is unaffected. This just changes how the installer works on 32 bit windows machines.
 ### Bug Fixes
 - Fixed a bug that would cause running tunnel on Bastion mode and without ingress rules to crash.
 ## 2023.2.2
 ### Notices
 - Legacy tunnels were officially deprecated on December 1, 2022. Starting with this version, cloudflared no longer supports connecting legacy tunnels.
 - h2mux tunnel connection protocol is no longer supported. Any tunnels still configured to use this protocol will alert and use http2 tunnel protocol instead. We recommend using quic protocol for all tunnels going forward.
 ## 2023.2.1
 ### Bug fixes
 - Fixed a bug in TCP connection proxy that could result in the connection being closed before all data was written.
 - cloudflared now correctly aborts body write if connection to origin service fails after response headers were sent already.
 - Fixed a bug introduced in the previous release where debug endpoints were removed.
 ## 2022.12.0
 ### Improvements
 - cloudflared now attempts to try other edge addresses before falling back to a lower protocol.
 - cloudflared tunnel no longer spins up a quick tunnel. The call has to be explicit and provide a --url flag.
 - cloudflared will now randomly pick the first or second region to connect to instead of always connecting to region2 first.
 ## 2022.9.0
 ### New Features
 - cloudflared now rejects ingress rules with invalid http status codes for http_status.
 ## 2022.8.1
 ### New Features
 - cloudflared now remembers if it connected to a certain protocol successfully. If it did, it does not fall back to a lower
  protocol on connection failures.
 ## 2022.7.1
 ### New Features
 - It is now possible to connect cloudflared tunnel to Cloudflare Global Network with IPv6. See `cloudflared tunnel --help` and look for `edge-ip-version` for more information. For now, the default behavior is to still connect with IPv4 only.
--- a/22
+++ b/22
@ -1,24 +1,30 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.17.1 as builder
+FROM golang:1.22.10 as builder
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+  CGO_ENABLED=0 \
-    TARGET_GOOS=${TARGET_GOOS} \
+  TARGET_GOOS=${TARGET_GOOS} \
-    TARGET_GOARCH=${TARGET_GOARCH}
+  TARGET_GOARCH=${TARGET_GOARCH} \
-    
+  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
-LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
+  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
-RUN make cloudflared
+RUN PATH="/tmp/go/bin:$PATH" make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian10:nonroot
+FROM gcr.io/distroless/base-debian12:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -0,0 +1,32 @@
 # use a builder image for building cloudflare
 FROM golang:1.22.10 as builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1 
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
 RUN GOOS=linux GOARCH=amd64 PATH="/tmp/go/bin:$PATH" make cloudflared
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian12:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 # run as non-privileged user
 USER nonroot
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@ -0,0 +1,32 @@
 # use a builder image for building cloudflare
 FROM golang:1.22.10 as builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
 RUN GOOS=linux GOARCH=arm64 PATH="/tmp/go/bin:$PATH" make cloudflared
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian12:nonroot-arm64
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 # run as non-privileged user
 USER nonroot
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
--- a/206
+++ b/206
@ -1,3 +1,6 @@
 # The targets cannot be run in parallel
 .NOTPARALLEL:
 VERSION       := $(shell git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 MSI_VERSION   := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut -c2-)
 #MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
@ -21,12 +24,16 @@ else
 	DEB_PACKAGE_NAME := $(BINARY_NAME)
 endif
-DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
+DATE          := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H%M UTC')
 VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
 ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
 endif
 ifdef CONTAINER_BUILD 
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/metrics.Runtime=virtual"
 endif
 LINK_FLAGS :=
 ifeq ($(FIPS), true)
 	LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
@ -49,6 +56,8 @@ PACKAGE_DIR    := $(CURDIR)/packaging
 PREFIX         := /usr
 INSTALL_BINDIR := $(PREFIX)/bin/
 INSTALL_MANDIR := $(PREFIX)/share/man/man1/
 CF_GO_PATH     := /tmp/go
 PATH           := $(CF_GO_PATH)/bin:$(PATH)
 LOCAL_ARCH ?= $(shell uname -m)
 ifneq ($(GOARCH),)
@ -82,6 +91,8 @@ else ifeq ($(LOCAL_OS),windows)
    TARGET_OS ?= windows
 else ifeq ($(LOCAL_OS),freebsd)
    TARGET_OS ?= freebsd
 else ifeq ($(LOCAL_OS),openbsd)
    TARGET_OS ?= openbsd
 else
    $(error This system's OS $(LOCAL_OS) isn't supported)
 endif
@ -108,6 +119,9 @@ else
 	PACKAGE_ARCH := $(TARGET_ARCH)
 endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256
 .PHONY: all
 all: cloudflared test
@ -119,11 +133,9 @@ clean:
 cloudflared:
 ifeq ($(FIPS), true)
 	$(info Building cloudflared with go-fips)
 	cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
 endif
-	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -v -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
+	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
 ifeq ($(FIPS), true)
 	rm -f cmd/cloudflared/fips.go
 	./check-fips.sh cloudflared
 endif
@ -131,6 +143,11 @@ endif
 container:
 	docker build --build-arg=TARGET_ARCH=$(TARGET_ARCH) --build-arg=TARGET_OS=$(TARGET_OS) -t cloudflare/cloudflared-$(TARGET_OS)-$(TARGET_ARCH):"$(VERSION)" .
 .PHONY: generate-docker-version
 generate-docker-version:
 	echo latest $(VERSION) > versions
 .PHONY: test
 test: vet
 ifndef CI
@ -138,33 +155,43 @@ ifndef CI
 else
 	@mkdir -p .cover
 	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
 	go tool cover -html ".cover/c.out" -o .cover/all.html
 endif
-.PHONY: test-ssh-server
+.PHONY: cover
-test-ssh-server:
+cover:
-	docker-compose -f ssh_server_tests/docker-compose.yml up
+	@echo ""
 	@echo "=====> Total test coverage: <====="
 	@echo ""
 	# Print the overall coverage here for quick access.
 	$Q go tool cover -func ".cover/c.out" | grep "total:" | awk '{print $$3}'
 	# Generate the HTML report that can be viewed from the browser in CI.
 	$Q go tool cover -html ".cover/c.out" -o .cover/all.html
-define publish_package
+.PHONY: fuzz
-	chmod 664 $(BINARY_NAME)*.$(1); \
+fuzz:
-	for HOST in $(CF_PKG_HOSTS); do \
+	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
-		ssh-keyscan -t ecdsa $$HOST >> ~/.ssh/known_hosts; \
+	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
-		scp -p -4 $(BINARY_NAME)*.$(1) cfsync@$$HOST:/state/cf-pkg/staging/$(2)/$(TARGET_PUBLIC_REPO)/$(BINARY_NAME)/; \
+	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
-	done
+	@go test -fuzz=FuzzSessionServe -fuzztime=600s ./quic/v3
-endef
+	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing
 	@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation
-.PHONY: publish-deb
+.PHONY: install-go
-publish-deb: cloudflared-deb
+install-go:
-	$(call publish_package,deb,apt)
+	rm -rf ${CF_GO_PATH}
 	./.teamcity/install-cloudflare-go.sh
-.PHONY: publish-rpm
+.PHONY: cleanup-go
-publish-rpm: cloudflared-rpm
+cleanup-go:
-	$(call publish_package,rpm,yum)
+	rm -rf ${CF_GO_PATH}
 cloudflared.1: cloudflared_man_template
-	cat cloudflared_man_template | sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' > cloudflared.1
+	sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
-install: cloudflared cloudflared.1
+install: install-go cloudflared cloudflared.1 cleanup-go
 	mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
 	install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
 	install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
@ -175,13 +202,13 @@ define build_package
 	mkdir -p $(PACKAGE_DIR)
 	cp cloudflared $(PACKAGE_DIR)/cloudflared
 	cp cloudflared.1 $(PACKAGE_DIR)/cloudflared.1
-	fakeroot fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
+	fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
 		--description 'Cloudflare Tunnel daemon' \
 		--vendor 'Cloudflare' \
 		--license 'Apache License Version 2.0' \
 		--url 'https://github.com/cloudflare/cloudflared' \
 		-m 'Cloudflare <support@cloudflare.com>' \
-	    -a $(PACKAGE_ARCH) -v $(VERSION) -n $(DEB_PACKAGE_NAME) $(NIGHTLY_FLAGS) --after-install postinst.sh --after-remove postrm.sh \
+	    -a $(PACKAGE_ARCH) -v $(VERSION) -n $(DEB_PACKAGE_NAME) $(RPM_DIGEST) $(NIGHTLY_FLAGS) --after-install postinst.sh --after-remove postrm.sh \
 		cloudflared=$(INSTALL_BINDIR) cloudflared.1=$(INSTALL_MANDIR)
 endef
@ -198,112 +225,49 @@ cloudflared-pkg: cloudflared cloudflared.1
 	$(call build_package,osxpkg)
 .PHONY: cloudflared-msi
-cloudflared-msi: cloudflared
+cloudflared-msi:
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
-.PHONY: cloudflared-darwin-amd64.tgz
+.PHONY: github-release-dryrun
-cloudflared-darwin-amd64.tgz: cloudflared
+github-release-dryrun:
-	tar czf cloudflared-darwin-amd64.tgz cloudflared
+	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION) --dry-run
 	rm cloudflared
 .PHONY: cloudflared-junos
 cloudflared-junos: cloudflared jetez-certificate.pem jetez-key.pem
 	jetez --source . \
 		  -j jet.yaml \
 		  --key jetez-key.pem \
 		  --cert jetez-certificate.pem \
 		  --version $(VERSION)
 	rm jetez-*.pem
 jetez-certificate.pem:
 ifndef JETEZ_CERT
 	$(error JETEZ_CERT not defined)
 endif
 	@echo "Writing JetEZ certificate"
 	@echo "$$JETEZ_CERT" > jetez-certificate.pem
 jetez-key.pem:
 ifndef JETEZ_KEY
 	$(error JETEZ_KEY not defined)
 endif
 	@echo "Writing JetEZ key"
 	@echo "$$JETEZ_KEY" > jetez-key.pem
 .PHONY: publish-cloudflared-junos
 publish-cloudflared-junos: cloudflared-junos cloudflared-x86-64.latest.s3
 ifndef S3_ENDPOINT
 	$(error S3_HOST not defined)
 endif
 ifndef S3_URI
 	$(error S3_URI not defined)
 endif
 ifndef S3_ACCESS_KEY
 	$(error S3_ACCESS_KEY not defined)
 endif
 ifndef S3_SECRET_KEY
 	$(error S3_SECRET_KEY not defined)
 endif
 	sha256sum cloudflared-x86-64-$(VERSION).tgz | awk '{printf $$1}' > cloudflared-x86-64-$(VERSION).tgz.shasum
 	s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
 		put cloudflared-x86-64-$(VERSION).tgz $(S3_URI)/cloudflared-x86-64-$(VERSION).tgz
 	s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
 		put cloudflared-x86-64-$(VERSION).tgz.shasum $(S3_URI)/cloudflared-x86-64-$(VERSION).tgz.shasum
 	dpkg --compare-versions "$(VERSION)" gt "$(shell cat cloudflared-x86-64.latest.s3)" && \
 		echo -n "$(VERSION)" > cloudflared-x86-64.latest && \
 		s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
 			put cloudflared-x86-64.latest $(S3_URI)/cloudflared-x86-64.latest || \
 		echo "Latest version not updated"
 cloudflared-x86-64.latest.s3:
 	s4cmd --endpoint-url $(S3_ENDPOINT) --force \
 		get $(S3_URI)/cloudflared-x86-64.latest cloudflared-x86-64.latest.s3
 .PHONY: homebrew-upload
 homebrew-upload: cloudflared-darwin-amd64.tgz
 	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $$^ $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz
 	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz  $(S3_URI)/cloudflared-stable-$1.tgz
 .PHONY: homebrew-release
 homebrew-release: homebrew-upload
 	./publish-homebrew-formula.sh cloudflared-darwin-amd64.tgz $(VERSION) homebrew-cloudflare
 .PHONY: github-release
-github-release: cloudflared
+github-release:
 	python3 github_release.py --path $(EXECUTABLE_PATH) --release-version $(VERSION)
 .PHONY: github-release-built-pkgs
 github-release-built-pkgs:
 	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
 .PHONY: release-pkgs-linux
 release-pkgs-linux:
 	python3 ./release_pkgs.py
 .PHONY: github-message
 github-message:
 	python3 github_message.py --release-version $(VERSION)
-.PHONY: github-mac-upload
+.PHONY: macos-release
-github-mac-upload:
+macos-release:
-	python3 github_release.py --path artifacts/cloudflared-darwin-amd64.tgz --release-version $(VERSION) --name cloudflared-darwin-amd64.tgz
+	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
 	python3 github_release.py --path artifacts/cloudflared-amd64.pkg --release-version $(VERSION) --name cloudflared-amd64.pkg
-.PHONY: tunnelrpc-deps
+.PHONY: r2-linux-release
-tunnelrpc-deps:
+r2-linux-release:
 	python3 ./release_pkgs.py
 .PHONY: capnp
 capnp:
 	which capnp  # https://capnproto.org/install.html
-	which capnpc-go  # go get zombiezen.com/go/capnproto2/capnpc-go
+	which capnpc-go  # go install zombiezen.com/go/capnproto2/capnpc-go@latest
-	capnp compile -ogo tunnelrpc/tunnelrpc.capnp
+	capnp compile -ogo tunnelrpc/proto/tunnelrpc.capnp tunnelrpc/proto/quic_metadata_protocol.capnp
 .PHONY: quic-deps
 quic-deps:
 	which capnp
 	which capnpc-go
 	capnp compile -ogo quic/schema/quic_metadata_protocol.capnp
 .PHONY: vet
 vet:
-	go vet -mod=vendor ./...
+	go vet -mod=vendor github.com/cloudflare/cloudflared/...
-.PHONY: goimports
+.PHONY: fmt
-goimports:
+fmt:
-	for d in $$(go list -mod=readonly -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc) ; do goimports -format-only -local github.com/cloudflare/cloudflared -w $$d ; done
+	@goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
 	@go fmt $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
 .PHONY: fmt-check
 fmt-check:
 	@./fmt-check.sh
 .PHONY: lint
 lint:
 	@golangci-lint run
 .PHONY: mocks
 mocks:
 	go generate mocks/mockgen.go
--- a/README.md
+++ b/README.md
@ -25,12 +25,13 @@ routing), but for legacy reasons this requirement is still necessary:
 ## Installing `cloudflared`
-Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases here on the `cloudflared` GitHub repository.
+Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
 * You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
 * Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
 * You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
 * To build from source, first you need to download the go toolchain by running `./.teamcity/install-cloudflare-go.sh` and follow the output. Then you can run `make cloudflared`
 User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
@ -39,7 +40,7 @@ User documentation for Cloudflare Tunnel can be found at https://developers.clou
 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/)
 * Route traffic to that Tunnel:
  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
@ -48,13 +49,34 @@ Once installed, you can authenticate `cloudflared` into your Cloudflare account
 ## TryCloudflare
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
 ## Deprecated versions
-Cloudflare currently supports versions of `cloudflared` 2020.5.1 and later. Breaking changes unrelated to feature availability may be introduced that will impact versions released prior to 2020.5.1. You can read more about upgrading `cloudflared` in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#updating-cloudflared).
+Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
-| Version(s) | Deprecation status |
+For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
-|---|---|
+
-| 2020.5.1 and later | Supported |
+## Development
-| Versions prior to 2020.5.1 | No longer supported |
+
 ### Requirements
 - [GNU Make](https://www.gnu.org/software/make/)
 - [capnp](https://capnproto.org/install.html)
 - [cloudflare go toolchain](https://github.com/cloudflare/go)
 - Optional tools:
  - [capnpc-go](https://pkg.go.dev/zombiezen.com/go/capnproto2/capnpc-go)
  - [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)
  - [golangci-lint](https://github.com/golangci/golangci-lint)
  - [gomocks](https://pkg.go.dev/go.uber.org/mock)
 ### Build
 To build cloudflared locally run `make cloudflared`
 ### Test
 To locally run the tests run `make test`
 ### Linting
 To format the code and keep a good code quality use `make fmt` and `make lint`
 ### Mocks
 After changes on interfaces you might need to regenerate the mocks, so run `make mock`
--- a/591
+++ b/591
@ -1,3 +1,594 @@
 2025.4.2
 - 2025-04-30 chore: Do not use gitlab merge request pipelines
 - 2025-04-30 DEVTOOLS-16383: Create GitlabCI pipeline to release Mac builds
 - 2025-04-24 TUN-9255: Improve flush on write conditions in http2 tunnel type to match what is done on the edge
 - 2025-04-10 SDLC-3727 - Adding FIPS status to backstage
 2025.4.0
 - 2025-04-02 Fix broken links in `cmd/cloudflared/*.go` related to running tunnel as a service
 - 2025-04-02 chore: remove repetitive words
 - 2025-04-01 Fix messages to point to one.dash.cloudflare.com
 - 2025-04-01 feat: emit explicit errors for the `service` command on unsupported OSes
 - 2025-04-01 Use RELEASE_NOTES date instead of build date
 - 2025-04-01 chore: Update tunnel configuration link in the readme
 - 2025-04-01 fix: expand home directory for credentials file
 - 2025-04-01 fix: Use path and filepath operation appropriately
 - 2025-04-01 feat: Adds a new command line for tunnel run for token file
 - 2025-04-01 chore: fix linter rules
 - 2025-03-17 TUN-9101: Don't ignore errors on `cloudflared access ssh`
 - 2025-03-06 TUN-9089: Pin go import to v0.30.0, v0.31.0 requires go 1.23
 2025.2.1
 - 2025-02-26 TUN-9016: update base-debian to v12
 - 2025-02-25 TUN-8960: Connect to FED API GW based on the OriginCert's endpoint
 - 2025-02-25 TUN-9007: modify logic to resolve region when the tunnel token has an endpoint field
 - 2025-02-13 SDLC-3762: Remove backstage.io/source-location from catalog-info.yaml
 - 2025-02-06 TUN-8914: Create a flags module to group all cloudflared cli flags
 2025.2.0
 - 2025-02-03 TUN-8914: Add a new configuration to locally override the max-active-flows
 - 2025-02-03 Bump x/crypto to 0.31.0
 2025.1.1
 - 2025-01-30 TUN-8858: update go to 1.22.10 and include quic-go FIPS changes
 - 2025-01-30 TUN-8855: fix lint issues
 - 2025-01-30 TUN-8855: Update PQ curve preferences
 - 2025-01-30 TUN-8857: remove restriction for using FIPS and PQ
 - 2025-01-30 TUN-8894: report FIPS+PQ error to Sentry when dialling to the edge
 - 2025-01-22 TUN-8904: Rename Connect Response Flow Rate Limited metadata
 - 2025-01-21 AUTH-6633 Fix cloudflared access login + warp as auth
 - 2025-01-20 TUN-8861: Add session limiter to UDP session manager
 - 2025-01-20 TUN-8861: Rename Session Limiter to Flow Limiter
 - 2025-01-17 TUN-8900: Add import of Apple Developer Certificate Authority to macOS Pipeline
 - 2025-01-17 TUN-8871: Accept login flag to authenticate with Fedramp environment
 - 2025-01-16 TUN-8866: Add linter to cloudflared repository
 - 2025-01-14 TUN-8861: Add session limiter to TCP session manager
 - 2025-01-13 TUN-8861: Add configuration for active sessions limiter
 - 2025-01-09 TUN-8848: Don't treat connection shutdown as an error condition when RPC server is done
 2025.1.0
 - 2025-01-06 TUN-8842: Add Ubuntu Noble and 'any' debian distributions to release script
 - 2025-01-06 TUN-8807: Add support_datagram_v3 to remote feature rollout
 - 2024-12-20 TUN-8829: add CONTAINER_BUILD to dockerfiles
 2024.12.2
 - 2024-12-19 TUN-8822: Prevent concurrent usage of ICMPDecoder
 - 2024-12-18 TUN-8818: update changes document to reflect newly added diag subcommand
 - 2024-12-17 TUN-8817: Increase close session channel by one since there are two writers
 - 2024-12-13 TUN-8797: update CHANGES.md with note about semi-deterministic approach used to bind metrics server
 - 2024-12-13 TUN-8724: Add CLI command for diagnostic procedure
 - 2024-12-11 TUN-8786: calculate cli flags once for the diagnostic procedure
 - 2024-12-11 TUN-8792: Make diag/system endpoint always return a JSON
 - 2024-12-10 TUN-8783: fix log collectors for the diagnostic procedure
 - 2024-12-10 TUN-8785: include the icmp sources in the diag's tunnel state
 - 2024-12-10 TUN-8784: Set JSON encoder options to print formatted JSON when writing diag files
 2024.12.1
 - 2024-12-10 TUN-8795: update createrepo to createrepo_c to fix the release_pkgs.py script
 2024.12.0
 - 2024-12-09 TUN-8640: Add ICMP support for datagram V3
 - 2024-12-09 TUN-8789: make python package installation consistent
 - 2024-12-06 TUN-8781: Add Trixie, drop Buster. Default to Bookworm
 - 2024-12-05 TUN-8775: Make sure the session Close can only be called once
 - 2024-12-04 TUN-8725: implement diagnostic procedure
 - 2024-12-04 TUN-8767: include raw output from network collector in diagnostic zipfile
 - 2024-12-04 TUN-8770: add cli configuration and tunnel configuration to diagnostic zipfile
 - 2024-12-04 TUN-8768: add job report to diagnostic zipfile
 - 2024-12-03 TUN-8726: implement compression routine to be used in diagnostic procedure
 - 2024-12-03 TUN-8732: implement port selection algorithm
 - 2024-12-03 TUN-8762: fix argument order when invoking tracert and modify network info output parsing.
 - 2024-12-03 TUN-8769: fix k8s log collector arguments
 - 2024-12-03 TUN-8727: extend client to include function to get cli configuration and tunnel configuration
 - 2024-11-29 TUN-8729: implement network collection for diagnostic procedure
 - 2024-11-29 TUN-8727: implement metrics, runtime, system, and tunnelstate in diagnostic http client
 - 2024-11-27 TUN-8733: add log collection for docker
 - 2024-11-27 TUN-8734: add log collection for kubernetes
 - 2024-11-27 TUN-8640: Refactor ICMPRouter to support new ICMPResponders
 - 2024-11-26 TUN-8735: add managed/local log collection
 - 2024-11-25 TUN-8728: implement diag/tunnel endpoint
 - 2024-11-25 TUN-8730: implement diag/configuration
 - 2024-11-22 TUN-8737: update metrics server port selection
 - 2024-11-22 TUN-8731: Implement diag/system endpoint
 - 2024-11-21 TUN-8748: Migrated datagram V3 flows to use migrated context
 2024.11.1
 - 2024-11-18 Add cloudflared tunnel ready command
 - 2024-11-14 Make metrics a requirement for tunnel ready command
 - 2024-11-12 TUN-8701:  Simplify flow registration logs for datagram v3
 - 2024-11-11 add: new go-fuzz targets
 - 2024-11-07 TUN-8701: Add metrics and adjust logs for datagram v3
 - 2024-11-06 TUN-8709: Add session migration for datagram v3
 - 2024-11-04 Fixed 404 in README.md to TryCloudflare
 - 2024-09-24 Update semgrep.yml
 2024.11.0
 - 2024-11-05 VULN-66059: remove ssh server tests
 - 2024-11-04 TUN-8700: Add datagram v3 muxer
 - 2024-11-04 TUN-8646: Allow experimental feature support for datagram v3
 - 2024-11-04 TUN-8641: Expose methods to simplify V3 Datagram parsing on the edge
 - 2024-10-31 TUN-8708: Bump python min version to 3.10
 - 2024-10-31 TUN-8667: Add datagram v3 session manager
 - 2024-10-25 TUN-8692: remove dashes from session id
 - 2024-10-24 TUN-8694: Rework release script
 - 2024-10-24 TUN-8661: Refactor connection methods to support future different datagram muxing methods
 - 2024-07-22 TUN-8553: Bump go to 1.22.5 and go-boring 1.22.5-1
 2024.10.1
 - 2024-10-23 TUN-8694: Fix github release script
 - 2024-10-21 Revert "TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport"
 - 2024-10-18 TUN-8688: Correct UDP bind for IPv6 edge connectivity on macOS
 - 2024-10-17 TUN-8685: Bump coredns dependency
 - 2024-10-16 TUN-8638: Add datagram v3 serializers and deserializers
 - 2024-10-15 chore: Remove h2mux code
 - 2024-10-11 TUN-8631: Abort release on version mismatch
 2024.10.0
 - 2024-10-01 TUN-8646: Add datagram v3 support feature flag
 - 2024-09-30 TUN-8621: Fix cloudflared version in change notes to account for release date
 - 2024-09-19 Adding semgrep yaml file
 - 2024-09-12 TUN-8632: Delay checking auto-update by the provided frequency
 - 2024-09-11 TUN-8630: Check checksum of downloaded binary to compare to current for auto-updating
 - 2024-09-09 TUN-8629: Cloudflared update on Windows requires running it twice to update
 - 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
 - 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
 - 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
 - 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
 2024.9.1
 - 2024-09-10 Revert Release 2024.9.0
 2024.9.0
 - 2024-09-10 TUN-8621: Fix cloudflared version in change notes.
 - 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
 - 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
 - 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
 - 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
 2024.8.3
 - 2024-08-15 TUN-8591 login command without extra text
 - 2024-03-25 remove code that will not be executed
 - 2024-03-25 remove code that will not be executed
 2024.8.2
 - 2024-08-05 TUN-8583: change final directory of artifacts
 - 2024-08-05 TUN-8585: Avoid creating GH client when dry-run is true
 2024.7.3
 - 2024-07-31 TUN-8546: Fix final artifacts paths
 2024.7.2
 - 2024-07-17 TUN-8546: rework MacOS build script
 2024.7.1
 - 2024-07-16 TUN-8543: use -p flag to create intermediate directories
 2024.7.0
 - 2024-07-05 TUN-8520: add macos arm64 build
 - 2024-07-05 TUN-8523: refactor makefile and cfsetup
 - 2024-07-02 TUN-8504: Use pre-installed python version instead of downloading it on Windows builds
 - 2024-06-26 TUN-8489: Add default noop logger for capnprpc
 - 2024-06-25 TUN-8487: Add user-agent for quick-tunnel requests
 - 2023-12-12 TUN-8057: cloudflared uses new PQ curve ID
 2024.6.1
 - 2024-06-12 TUN-8461: Don't log Failed to send session payload if the error is EOF
 - 2024-06-07 TUN-8456: Update quic-go to 0.45 and collect mtu and congestion control metrics
 - 2024-06-06 TUN-8452: Add flag to control QUIC stream-level flow control limit
 - 2024-06-06 TUN-8451: Log QUIC flow control frames and transport parameters received
 - 2024-06-05 TUN-8449: Add flag to control QUIC connection-level flow control limit and increase default to 30MB
 2024.6.0
 - 2024-05-30 TUN-8441: Correct UDP total sessions metric to a counter and add new ICMP metrics
 - 2024-05-28 TUN-8422: Add metrics for capnp method calls
 - 2024-05-24 TUN-8424: Refactor capnp registration server
 - 2024-05-23 TUN-8427: Fix BackoffHandler's internally shared clock structure
 - 2024-05-21 TUN-8425: Remove ICMP binding for quick tunnels
 - 2024-05-20 TUN-8423: Deprecate older legacy tunnel capnp interfaces
 - 2024-05-15 TUN-8419: Add capnp safe transport
 - 2024-05-13 TUN-8415: Refactor capnp rpc into a single module
 2024.5.0
 - 2024-05-07 TUN-8407: Upgrade go to version 1.22.2
 2024.4.1
 - 2024-04-22 TUN-8380: Add sleep before requesting quick tunnel as temporary fix for component tests
 - 2024-04-19 TUN-8374: Close UDP socket if registration fails
 - 2024-04-18 TUN-8371: Bump quic-go to v0.42.0
 - 2024-04-03 TUN-8333: Bump go-jose dependency to v4
 - 2024-04-02 TUN-8331: Add unit testing for AccessJWTValidator middleware
 2024.4.0
 - 2024-04-02 feat: provide short version (#1206)
 - 2024-04-02 Format code
 - 2024-01-18 feat: auto tls sni
 - 2023-12-24 fix checkInPingGroup bugs
 - 2023-12-15 Add environment variables for TCP tunnel hostname / destination / URL.
 2024.3.0
 - 2024-03-14 TUN-8281: Run cloudflared query list tunnels/routes endpoint in a paginated way
 - 2024-03-13 TUN-8297: Improve write timeout logging on safe_stream.go
 - 2024-03-07 TUN-8290: Remove `|| true` from postrm.sh
 - 2024-03-05 TUN-8275: Skip write timeout log on "no network activity"
 - 2024-01-23 Update postrm.sh to fix incomplete uninstall
 - 2024-01-05 fix typo in errcheck for response parsing logic in CreateTunnel routine
 - 2023-12-23 Update linux_service.go
 - 2023-12-07 ci: bump actions/checkout to v4
 - 2023-12-07 ci/check: bump actions/setup-go to v5
 - 2023-04-28 check.yaml: bump actions/setup-go to v4
 2024.2.1
 - 2024-02-20 TUN-8242: Update Changes.md file with new remote diagnostics behaviour
 - 2024-02-19 TUN-8238: Fix type mismatch introduced by fast-forward
 - 2024-02-16 TUN-8243: Collect metrics on the number of QUIC frames sent/received
 - 2024-02-15 TUN-8238: Refactor proxy logging
 - 2024-02-14 TUN-8242: Enable remote diagnostics by default
 - 2024-02-12 TUN-8236: Add write timeout to quic and tcp connections
 - 2024-02-09 TUN-8224: Fix safety of TCP stream logging, separate connect and ack log messages
 2024.2.0
 - 2024-02-07 TUN-8224: Count and collect metrics on stream connect successes/errors
 2024.1.5
 - 2024-01-22 TUN-8176: Support ARM platforms that don't have an FPU or have it enabled in kernel
 - 2024-01-15 TUN-8158: Bring back commit e6537418859afcac29e56a39daa08bcabc09e048 and fixes infinite loop on linux when the socket is closed
 2024.1.4
 - 2024-01-19 Revert "TUN-8158: Add logging to confirm when ICMP reply is returned to the edge"
 2024.1.3
 - 2024-01-15 TUN-8161: Fix broken ARM build for armv6
 - 2024-01-15 TUN-8158: Add logging to confirm when ICMP reply is returned to the edge
 2024.1.2
 - 2024-01-11 TUN-8147: Disable ECN usage due to bugs in detecting if supported
 - 2024-01-11 TUN-8146: Fix export path for install-go command
 - 2024-01-11 TUN-8146: Fix Makefile targets should not be run in parallel and install-go script was missing shebang
 - 2024-01-10 TUN-8140: Remove homebrew scripts
 2024.1.1
 - 2024-01-10 TUN-8134: Revert installed prefix to /usr
 - 2024-01-09 TUN-8130: Fix path to install go for mac build
 - 2024-01-09 TUN-8129: Use the same build command between branch and release builds
 - 2024-01-09 TUN-8130: Install go tool chain in /tmp on build agents
 - 2024-01-09 TUN-8134: Install cloudflare go as part of make install
 - 2024-01-08 TUN-8118: Disable FIPS module to build with go-boring without CGO_ENABLED
 2024.1.0
 - 2024-01-01 TUN-7934: Update quic-go to a version that queues datagrams for better throughput and drops large datagram
 - 2023-12-20 TUN-8072: Need to set GOCACHE in mac go installation script
 - 2023-12-17 TUN-8072: Add script to download cloudflare go for Mac build agents
 - 2023-12-15 Fix nil pointer dereference segfault when passing "null" config json to cloudflared tunnel ingress validate (#1070)
 - 2023-12-15 configuration.go: fix developerPortal link (#960)
 - 2023-12-14 tunnelrpc/pogs: fix dropped test errors (#1106)
 - 2023-12-14 cmd/cloudflared/updater: fix dropped error (#1055)
 - 2023-12-14 use os.Executable to discover the path to cloudflared (#1040)
 - 2023-12-14 Remove extraneous `period` from Path Environment Variable (#1009)
 - 2023-12-14 Use CLI context when running tunnel (#597)
 - 2023-12-14 TUN-8066: Define scripts to build on Windows agents
 - 2023-12-11 TUN-8052: Update go to 1.21.5
 - 2023-12-07 TUN-7970: Default to enable post quantum encryption for quic transport
 - 2023-12-04 TUN-8006: Update quic-go to latest upstream
 - 2023-11-15 VULN-44842 Add a flag that allows users to not send the Access JWT to stdout
 - 2023-11-13 TUN-7965: Remove legacy incident status page check
 - 2023-11-13 AUTH-5682 Org token flow in Access logins should pass CF_AppSession cookie
 2023.10.0
 - 2023-10-06 TUN-7864: Document cloudflared versions support
 - 2023-10-03 CUSTESC-33731: Make rule match test report rule in 0-index base
 - 2023-09-22 TUN-7824: Fix usage of systemctl status to detect which services are installed
 - 2023-09-20 TUN-7813: Improve tunnel delete command to use cascade delete
 - 2023-09-20 TUN-7787: cloudflared only list ip routes targeted for cfd_tunnel
 - 2023-09-15 TUN-7787: Refactor cloudflared to use new route endpoints based on route IDs
 - 2023-09-08 TUN-7776: Remove warp-routing flag from cloudflared
 - 2023-09-05 TUN-7756: Clarify that QUIC is mandatory to support ICMP proxying
 2023.8.2
 - 2023-08-25 TUN-7700: Implement feature selector to determine if connections will prefer post quantum cryptography
 - 2023-08-22 TUN-7707: Use X25519Kyber768Draft00 curve when post-quantum feature is enabled
 2023.8.1
 - 2023-08-23 TUN-7718: Update R2 Token to no longer encode secret
 2023.8.0
 - 2023-07-26 TUN-7584: Bump go 1.20.6
 2023.7.3
 - 2023-07-25 TUN-7628: Correct Host parsing for Access
 - 2023-07-24 TUN-7624: Fix flaky TestBackoffGracePeriod test in cloudflared
 2023.7.2
 - 2023-07-19 TUN-7599: Onboard cloudflared to Software Dashboard
 - 2023-07-19 TUN-7587: Remove junos builds
 - 2023-07-18 TUN-7597: Add flag to disable auto-update services to be installed
 - 2023-07-17 TUN-7594: Add nightly arm64 cloudflared internal deb publishes
 - 2023-07-14 TUN-7586: Upgrade go-jose/go-jose/v3 and core-os/go-oidc/v3
 - 2023-07-14 TUN-7589: Remove legacy golang.org/x/crypto/ssh/terminal package usage
 - 2023-07-14 TUN-7590: Remove usages of ioutil
 - 2023-07-14 TUN-7585: Remove h2mux compression
 - 2023-07-14 TUN-7588: Update package coreos/go-systemd
 2023.7.1
 - 2023-07-13 TUN-7582: Correct changelog wording for --management-diagnostics
 - 2023-07-12 TUN-7575: Add option to disable PTMU discovery over QUIC
 2023.7.0
 - 2023-07-06 TUN-7558: Flush on Writes for StreamBasedOriginProxy
 - 2023-07-05 TUN-7553: Add flag to enable management diagnostic services
 - 2023-07-05 TUN-7564: Support cf-trace-id for cloudflared access
 - 2023-07-05 TUN-7477: Decrement UDP sessions on shutdown
 - 2023-07-03 TUN-7545: Add support for full bidirectionally streaming with close signal propagation
 - 2023-06-30 TUN-7549: Add metrics route to management service
 - 2023-06-30 TUN-7551: Complete removal of raven-go to sentry-go
 - 2023-06-30 TUN-7550: Add pprof endpoint to management service
 - 2023-06-29 TUN-7543: Add --debug-stream flag to cloudflared access ssh
 - 2023-06-26 TUN-6011: Remove docker networks from ICMP Proxy test
 - 2023-06-20 AUTH-5328 Pass cloudflared_token_check param when running cloudflared access login
 2023.6.1
 - 2023-06-19 TUN-7480: Added a timeout for unregisterUDP.
 - 2023-06-16 TUN-7477: Add UDP/TCP session metrics
 - 2023-06-14 TUN-7468: Increase the limit of incoming streams
 2023.6.0
 - 2023-06-15 TUN-7471: Fixes cloudflared not closing the quic stream on unregister UDP session
 - 2023-06-09 TUN-7463: Add default ingress rule if no ingress rules are provided when updating the configuration
 - 2023-05-31 TUN-7447: Add a cover build to report code coverage
 2023.5.1
 - 2023-05-16 TUN-7424: Add CORS headers to host_details responses
 - 2023-05-11 TUN-7421: Add *.cloudflare.com to permitted Origins for management WebSocket requests
 - 2023-05-05 TUN-7404: Default configuration version set to -1
 - 2023-05-05 TUN-7227: Migrate to devincarr/quic-go
 2023.5.0
 - 2023-04-27 TUN-7398: Add support for quic safe stream to set deadline
 - 2023-04-26 TUN-7394: Retry StartFirstTunnel on quic.ApplicationErrors
 - 2023-04-26 TUN-7392: Ignore release checksum upload if asset already uploaded
 - 2023-04-25 TUN-7392: Ignore duplicate artifact uploads for github release
 - 2023-04-25 TUN-7393: Add json output for cloudflared tail
 - 2023-04-24 TUN-7390: Remove Debian stretch builds
 2023.4.2
 - 2023-04-24 TUN-7133: Add sampling support for streaming logs
 - 2023-04-21 TUN-7141: Add component tests for streaming logs
 - 2023-04-21 TUN-7373: Streaming logs override for same actor
 - 2023-04-20 TUN-7383: Bump requirements.txt
 - 2023-04-19 TUN-7361: Add a label to override hostname
 - 2023-04-19 TUN-7378: Remove RPC debug logs
 - 2023-04-18 TUN-7360: Add Get Host Details handler in management service
 - 2023-04-17 AUTH-3122 Verify that Access tokens are still valid in curl command
 - 2023-04-17 TUN-7129: Categorize TCP logs for streaming logs
 - 2023-04-17 TUN-7130: Categorize UDP logs for streaming logs
 - 2023-04-10 AUTH-4887 Add aud parameter to token transfer url
 2023.4.1
 - 2023-04-13 TUN-7368: Report destination address for TCP requests in logs
 - 2023-04-12 TUN-7134: Acquire token for cloudflared tail
 - 2023-04-12 TUN-7131: Add cloudflared log event to connection messages and enable streaming logs
 - 2023-04-11 TUN-7132 TUN-7136: Add filter support for streaming logs
 - 2023-04-06 TUN-7354: Don't warn for empty ingress rules when using --token
 - 2023-04-06 TUN-7128: Categorize logs from public hostname locations
 - 2023-04-06 TUN-7351: Add streaming logs session ping and timeout
 - 2023-04-06 TUN-7335: Fix cloudflared update not working in windows
 2023.4.0
 - 2023-04-07 TUN-7356: Bump golang.org/x/net package to 0.7.0
 - 2023-04-07 TUN-7357: Bump to go 1.19.6
 - 2023-04-06 TUN-7127: Disconnect logger level requirement for management
 - 2023-04-05 TUN-7332: Remove legacy tunnel force flag
 - 2023-04-05 TUN-7135: Add cloudflared tail
 - 2023-04-04 Add suport for OpenBSD (#916)
 - 2023-04-04 Fix typo (#918)
 - 2023-04-04 TUN-7125: Add management streaming logs WebSocket protocol
 - 2023-03-30 TUN-9999: Remove classic tunnel component tests
 - 2023-03-30 TUN-7126: Add Management logger io.Writer
 - 2023-03-29 TUN-7324: Add http.Hijacker to connection.ResponseWriter
 - 2023-03-29 TUN-7333: Default features checkable at runtime across all packages
 - 2023-03-21 TUN-7124: Add intercept ingress rule for management requests
 2023.3.1
 - 2023-03-13 TUN-7271: Return 503 status code when no ingress rules configured
 - 2023-03-10 TUN-7272: Fix cloudflared returning non supported status service which breaks configuration migration
 - 2023-03-09 TUN-7259: Add warning for missing ingress rules
 - 2023-03-09 TUN-7268: Default to Program Files as location for win32
 - 2023-03-07 TUN-7252: Remove h2mux connection
 - 2023-03-07 TUN-7253: Adopt http.ResponseWriter for connection.ResponseWriter
 - 2023-03-06 TUN-7245: Add bastion flag to origin service check
 - 2023-03-06 EDGESTORE-108: Remove deprecated s3v2 signature
 - 2023-03-02 TUN-7226: Fixed a missed rename
 2023.3.0
 - 2023-03-01 GH-352: Add Tunnel CLI option "edge-bind-address" (#870)
 - 2023-03-01 Fixed WIX template to allow MSI upgrades (#838)
 - 2023-02-28 TUN-7213: Decode Base64 encoded key before writing it
 - 2023-02-28 check.yaml: update actions to v3 (#876)
 - 2023-02-27 TUN-7213: Debug homebrew-cloudflare  build
 - 2023-02-15 RTG-2476 Add qtls override for Go 1.20
 2023.2.2
 - 2023-02-22 TUN-7197: Add connIndex tag to debug messages of incoming requests
 - 2023-02-08 TUN-7167: Respect protocol overrides with --token
 - 2023-02-06 TUN-7065: Remove classic tunnel creation
 - 2023-02-06 TUN-6938: Force h2mux protocol to http2 for named tunnels
 - 2023-02-06 TUN-6938: Provide QUIC as first in protocol list
 - 2023-02-03 TUN-7158: Correct TCP tracing propagation
 - 2023-02-01 TUN-7151: Update changes file with latest release notices
 2023.2.1
 - 2023-02-01 TUN-7065: Revert Ingress Rule check for named tunnel configurations
 - 2023-02-01 Revert "TUN-7065: Revert Ingress Rule check for named tunnel configurations"
 - 2023-02-01 Revert "TUN-7065: Remove classic tunnel creation"
 2023.1.0
 - 2023-01-10 TUN-7064: RPM digests are now sha256 instead of md5sum
 - 2023-01-04 RTG-2418 Update qtls
 - 2022-12-24 TUN-7057: Remove dependency github.com/gorilla/mux
 - 2022-12-24 TUN-6724: Migrate to sentry-go from raven-go
 2022.12.1
 - 2022-12-20 TUN-7021: Fix proxy-dns not starting when cloudflared tunnel is run
 - 2022-12-15 TUN-7010: Changelog for release 2022.12.0
 2022.12.0
 - 2022-12-14 TUN-6999: cloudflared should attempt other edge addresses before falling back on protocol
 - 2022-12-13 TUN-7004: Dont show local config dirs for remotely configured tuns
 - 2022-12-12 TUN-7003: Tempoarily disable erroneous notarize-app
 - 2022-12-12 TUN-7003: Add back a missing fi
 - 2022-12-07 TUN-7000: Reduce metric cardinality of closedConnections metric by removing error as tag
 - 2022-12-07 TUN-6994: Improve logging config file not found
 - 2022-12-07 TUN-7002: Randomise first region selection
 - 2022-12-07 TUN-6995: Disable quick-tunnels spin up by default
 - 2022-12-05 TUN-6984: Add bash set x to improve visibility during builds
 - 2022-12-05 TUN-6984: [CI] Ignore security import errors for code_sigining
 - 2022-12-05 TUN-6984: [CI] Don't fail on unset.
 - 2022-11-30 TUN-6984: Set euo pipefile for homebrew builds
 2022.11.1
 - 2022-11-29 TUN-6981: We should close UDP socket if failed to connecto to edge
 - 2022-11-25 CUSTESC-23757: Fix a bug where a wildcard ingress rule would match an host without starting with a dot
 - 2022-11-24 TUN-6970: Print newline when printing tunnel token
 - 2022-11-22 TUN-6963: Refactor Metrics service setup
 2022.11.0
 - 2022-11-16 Revert "TUN-6935: Cloudflared should use APIToken instead of serviceKey"
 - 2022-11-16 TUN-6929: Use same protocol for other connections as first one
 - 2022-11-14 TUN-6941: Reduce log level to debug when failing to proxy ICMP reply
 - 2022-11-14 TUN-6935: Cloudflared should use APIToken instead of serviceKey
 - 2022-11-14 TUN-6935: Cloudflared should use APIToken instead of serviceKey
 - 2022-11-11 TUN-6937: Bump golang.org/x/* packages to new release tags
 - 2022-11-10 ZTC-234: macOS tests
 - 2022-11-09 TUN-6927: Refactor validate access configuration to allow empty audTags only
 - 2022-11-08 ZTC-234: Replace ICMP funnels when ingress connection changes
 - 2022-11-04 TUN-6917: Bump go to 1.19.3
 - 2022-11-02 Issue #574: Better ssh config for short-lived cert (#763)
 - 2022-10-28 TUN-6898: Fix bug handling IPv6 based ingresses with missing port
 - 2022-10-28 TUN-6898: Refactor addPortIfMissing
 2022.10.3
 - 2022-10-24 TUN-6871: Add default feature to cloudflared to support EOF on QUIC connections
 - 2022-10-19 TUN-6876: Fix flaky TestTraceICMPRouterEcho by taking account request span can return before reply
 - 2022-10-18 TUN-6867: Clear spans right after they are serialized to avoid returning duplicate spans
 2022.10.2
 - 2022-10-18 TUN-6869: Fix Makefile complaining about missing GO packages
 - 2022-10-18 TUN-6864: Don't reuse port in quic unit tests
 - 2022-10-18 TUN-6868: Return left padded tracing ID when tracing identity is converted to string
 2022.10.1
 - 2022-10-16 TUN-6861: Trace ICMP on Windows
 - 2022-10-15 TUN-6860: Send access configuration keys to the edge
 - 2022-10-14 TUN-6858: Trace ICMP reply
 - 2022-10-13 TUN-6855: Add DatagramV2Type for IP packet with trace and tracing spans
 - 2022-10-13 TUN-6856: Refactor to lay foundation for tracing ICMP
 - 2022-10-13 TUN-6604: Trace icmp echo request on Linux and Darwin
 - 2022-10-12 Fix log message (#591)
 - 2022-10-12 TUN-6853: Reuse source port when connecting to the edge for quic connections
 - 2022-10-11 TUN-6829: Allow user of datagramsession to control logging level of errors
 - 2022-10-10 RTG-2276 Update qtls and go mod tidy
 - 2022-10-05 Add post-quantum flag to quick tunnel
 - 2022-10-05 TUN-6823: Update github release message to pull from KV
 - 2022-10-04 TUN-6825: Fix cloudflared:version images require arch hyphens
 - 2022-10-03 TUN-6806: Add ingress rule number to log when filtering due to middlware handler
 - 2022-08-17 Label correct container
 - 2022-08-16 Fix typo in help text for `cloudflared tunnel route lb`
 - 2022-07-18 drop usage of cat when sed is invoked to generate the manpage
 - 2021-03-15 update-build-readme
 - 2021-03-15 fix link
 2022.10.0
 - 2022-09-30 TUN-6755: Remove unused publish functions
 - 2022-09-30 TUN-6813: Only proxy ICMP packets when warp-routing is enabled
 - 2022-09-29 TUN-6811: Ping group range should be parsed as int32
 - 2022-09-29 TUN-6812: Drop IP packets if ICMP proxy is not initialized
 - 2022-09-28 TUN-6716: Document limitation of Windows ICMP proxy
 - 2022-09-28 TUN-6810: Add component test for post-quantum
 - 2022-09-27 TUN-6715: Provide suggestion to add cloudflared to ping_group_range if it failed to open ICMP socket
 - 2022-09-22 TUN-6792: Fix brew core release by not auditing the formula
 - 2022-09-22 TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware
 - 2022-09-22 TUN-6775: Add middleware.Handler verification to ProxyHTTP
 - 2022-09-22 TUN-6791: Calculate ICMPv6 checksum
 - 2022-09-22 TUN-6801: Add punycode alternatives for ingress rules
 - 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier
 - 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier
 - 2022-09-21 TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware
 - 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier
 - 2022-09-20 TUN-6741: ICMP proxy tries to listen on specific IPv4 & IPv6 when possible
 2022.9.1
 - 2022-09-20 TUN-6777: Fix race condition in TestFunnelIdleTimeout
 - 2022-09-20 TUN-6595: Enable datagramv2 and icmp proxy by default
 - 2022-09-20 TUN-6773: Add access based configuration to ingress.OriginRequestConfig
 - 2022-09-19 TUN-6778: Cleanup logs about ICMP
 - 2022-09-19 TUN-6779: cloudflared should also use the root CAs from system pool to validate edge certificate
 - 2022-09-19 TUN-6780: Add support for certReload to also include support for client certificates
 - 2022-09-16 TUN-6767: Build ICMP proxy for Windows only when CGO is enabled
 - 2022-09-15 TUN-6590: Use Windows Teamcity agent to build binary
 - 2022-09-13 TUN-6592: Decrement TTL and return ICMP time exceed if it's 0
 - 2022-09-09 TUN-6749: Fix icmp_generic build
 - 2022-09-09 TUN-6744: On posix platforms, assign unique echo ID per (src, dst, echo ID)
 - 2022-09-08 TUN-6743: Support ICMPv6 echo on Windows
 - 2022-09-08 TUN-6689: Utilize new RegisterUDPSession to begin tracing
 - 2022-09-07 TUN-6688: Update RegisterUdpSession capnproto to include trace context
 - 2022-09-06 TUN-6740: Detect no UDP packets allowed and fallback from QUIC in that case
 - 2022-09-06 TUN-6654: Support ICMPv6 on Linux and Darwin
 - 2022-09-02 TUN-6696: Refactor flow into funnel and close idle funnels
 - 2022-09-02 TUN-6718: Bump go and go-boring 1.18.6
 - 2022-08-29 TUN-6531: Implement ICMP proxy for Windows using IcmpSendEcho
 - 2022-08-24 RTG-1339 Support post-quantum hybrid key exchange
 2022.9.0
 - 2022-09-05 TUN-6737: Fix datagramV2Type should be declared in its own block so it starts at 0
 - 2022-09-01 TUN-6725: Fix testProxySSEAllData
 - 2022-09-01 TUN-6726: Fix maxDatagramPayloadSize for Windows QUIC datagrams
 - 2022-09-01 TUN-6729: Fix flaky TestClosePreviousProxies
 - 2022-09-01 TUN-6728: Verify http status code ingress rule
 - 2022-08-25 TUN-6695: Implement ICMP proxy for linux
 2022.8.4
 - 2022-08-31 TUN-6717: Update Github action to run with Go 1.19
 - 2022-08-31 TUN-6720: Remove forcibly closing connection during reconnect signal
 - 2022-08-29 Release 2022.8.3
 2022.8.3
 - 2022-08-26 TUN-6708: Fix replace flow logic
 - 2022-08-25 TUN-6705: Tunnel should retry connections forever
 - 2022-08-25 TUN-6704: Honor protocol flag when edge discovery is unreachable
 - 2022-08-25 TUN-6699: Add metric for packet too big dropped
 - 2022-08-24 TUN-6691: Properly error check for net.ErrClosed
 - 2022-08-22 TUN-6679: Allow client side of quic request to close body
 - 2022-08-22 TUN-6586: Change ICMP proxy to only build for Darwin and use echo ID to track flows
 - 2022-08-18 TUN-6530: Implement ICMPv4 proxy
 - 2022-08-17 TUN-6666: Define packet package
 - 2022-08-17 TUN-6667: DatagramMuxerV2 provides a method to receive RawPacket
 - 2022-08-16 TUN-6657: Ask for Tunnel ID and Configuration on Bug Report
 - 2022-08-16 TUN-6676: Add suport for trailers in http2 connections
 - 2022-08-11 TUN-6575: Consume cf-trace-id from incoming http2 TCP requests
 2022.8.2
 - 2022-08-16 TUN-6656: Docker for arm64 should not be deployed in an amd64 container
 2022.8.1
 - 2022-08-15 TUN-6617: Updated CHANGES.md for protocol stickiness
 - 2022-08-12 EDGEPLAT-3918: bump go and go-boring to 1.18.5
 - 2022-08-12 TUN-6652: Publish dockerfile for both amd64 and arm64
 - 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.
 - 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.
 - 2022-08-11 Revert "TUN-6617: Dont fallback to http2 if QUIC conn was successful."
 - 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.
 - 2022-08-01 TUN-6584: Define QUIC datagram v2 format to support proxying IP packets
 2022.8.0
 - 2022-08-10 TUN-6637: Upgrade quic-go
 - 2022-08-10 TUN-6646: Add support to SafeStreamCloser to close only write side of stream
 - 2022-08-09 TUN-6642: Fix unexpected close of quic stream triggered by upstream origin close
 - 2022-08-09 TUN-6639: Validate cyclic ingress configuration
 - 2022-08-08 TUN-6637: Upgrade go version and quic-go
 - 2022-08-08 TUN-6639: Validate cyclic ingress configuration
 - 2022-08-04 EDGEPLAT-3918: build cloudflared for Bookworm
 - 2022-08-02 Revert "TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span"
 - 2022-07-27 TUN-6601: Update gopkg.in/yaml.v3 references in modules
 - 2022-07-26 TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span
 - 2022-07-26 TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span
 - 2022-07-25 TUN-6598: Remove auto assignees on github issues
 - 2022-07-20 TUN-6583: Remove legacy --ui flag
 - 2022-07-20 cURL supports stdin and uses os pipes directly without copying
 - 2022-07-07 TUN-6517: Use QUIC stream context while proxying HTTP requests and TCP connections
 2022.7.1
 - 2022-07-06 TUN-6503: Fix transport fallback from QUIC in face of dial error "no network activity"
--- a/build-packages-fips.sh
+++ b/build-packages-fips.sh
@ -1,8 +1,9 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # This controls the directory the built artifacts go into
-export ARTIFACT_DIR=built_artifacts/
+export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 arch=("amd64")
@ -16,10 +17,10 @@ make cloudflared-deb
 mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
-RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
+RPMVERSION=$(echo $VERSION | sed -r 's/-/_/g')
 RPMARCH="x86_64"
 make cloudflared-rpm
 mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm
 # finally move the linux binary as well.
-mv ./cloudflared $ARTIFACT_DIR/cloudflared-fips-linux-$arch
+mv ./cloudflared $ARTIFACT_DIR/cloudflared-fips-linux-$arch
--- a/build-packages.sh
+++ b/build-packages.sh
@ -1,27 +1,26 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
-# Avoid depending on C code since we don't need it.
+# Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
-export ARTIFACT_DIR=built_artifacts/
+export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 export TARGET_OS=windows
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
    make cloudflared-msi
    mv ./cloudflared.exe $ARTIFACT_DIR/cloudflared-windows-$arch.exe
    mv cloudflared-$VERSION-$arch.msi $ARTIFACT_DIR/cloudflared-windows-$arch.msi
 done
 linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
 export TARGET_OS=linux
 for arch in ${linuxArchs[@]}; do
    unset TARGET_ARM
    export TARGET_ARCH=$arch
    ## Support for arm platforms without hardware FPU enabled
    if [[ $arch == arm ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=5
    fi
    ## Support for armhf builds 
    if [[ $arch == armhf ]] ; then
--- a/carrier/carrier.go
+++ b/carrier/carrier.go
@ -1,6 +1,6 @@
-//Package carrier provides a WebSocket proxy to carry or proxy a connection
+// Package carrier provides a WebSocket proxy to carry or proxy a connection
-//from the local client to the edge. See it as a wrapper around any protocol
+// from the local client to the edge. See it as a wrapper around any protocol
-//that it packages up in a WebSocket connection to the edge.
+// that it packages up in a WebSocket connection to the edge.
 package carrier
 import (
--- a/carrier/websocket.go
+++ b/carrier/websocket.go
@ -9,6 +9,7 @@ import (
 	"github.com/gorilla/websocket"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/stream"
 	"github.com/cloudflare/cloudflared/token"
 	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
 )
@ -37,7 +38,7 @@ func (ws *Websocket) ServeStream(options *StartOptions, conn io.ReadWriter) erro
 	}
 	defer wsConn.Close()
-	cfwebsocket.Stream(wsConn, conn, ws.log)
+	stream.Pipe(wsConn, conn, ws.log)
 	return nil
 }
--- a/catalog-info.yaml
+++ b/catalog-info.yaml
@ -0,0 +1,17 @@
 apiVersion: backstage.io/v1alpha1
 kind: Component
 metadata:
  name: cloudflared
  description: Client for Cloudflare Tunnels
  annotations:
    cloudflare.com/software-excellence-opt-in: "true"
    cloudflare.com/jira-project-key: "TUN"
    cloudflare.com/jira-project-component: "Cloudflare Tunnel"
  tags:
    - internal
 spec:
  type: "service"
  lifecycle: "Active"
  owner: "teams/tunnel-teams-routing"
  cf:
    FIPS: "required"
--- a/certutil/certutil.go
+++ b/certutil/certutil.go
@ -1,94 +0,0 @@
 package certutil
 import (
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"strings"
 )
 type namedTunnelToken struct {
 	ZoneID     string `json:"zoneID"`
 	AccountID  string `json:"accountID"`
 	ServiceKey string `json:"serviceKey"`
 }
 type OriginCert struct {
 	PrivateKey interface{}
 	Cert       *x509.Certificate
 	ZoneID     string
 	ServiceKey string
 	AccountID  string
 }
 func DecodeOriginCert(blocks []byte) (*OriginCert, error) {
 	if len(blocks) == 0 {
 		return nil, fmt.Errorf("Cannot decode empty certificate")
 	}
 	originCert := OriginCert{}
 	block, rest := pem.Decode(blocks)
 	for {
 		if block == nil {
 			break
 		}
 		switch block.Type {
 		case "PRIVATE KEY":
 			if originCert.PrivateKey != nil {
 				return nil, fmt.Errorf("Found multiple private key in the certificate")
 			}
 			// RSA private key
 			privateKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
 			if err != nil {
 				return nil, fmt.Errorf("Cannot parse private key")
 			}
 			originCert.PrivateKey = privateKey
 		case "CERTIFICATE":
 			if originCert.Cert != nil {
 				return nil, fmt.Errorf("Found multiple certificates in the certificate")
 			}
 			cert, err := x509.ParseCertificates(block.Bytes)
 			if err != nil {
 				return nil, fmt.Errorf("Cannot parse certificate")
 			} else if len(cert) > 1 {
 				return nil, fmt.Errorf("Found multiple certificates in the certificate")
 			}
 			originCert.Cert = cert[0]
 		case "WARP TOKEN", "ARGO TUNNEL TOKEN":
 			if originCert.ZoneID != "" || originCert.ServiceKey != "" {
 				return nil, fmt.Errorf("Found multiple tokens in the certificate")
 			}
 			// The token is a string,
 			// Try the newer JSON format
 			ntt := namedTunnelToken{}
 			if err := json.Unmarshal(block.Bytes, &ntt); err == nil {
 				originCert.ZoneID = ntt.ZoneID
 				originCert.ServiceKey = ntt.ServiceKey
 				originCert.AccountID = ntt.AccountID
 			} else {
 				// Try the older format, where the zoneID and service key are separated by
 				// a new line character
 				token := string(block.Bytes)
 				s := strings.Split(token, "\n")
 				if len(s) != 2 {
 					return nil, fmt.Errorf("Cannot parse token")
 				}
 				originCert.ZoneID = s[0]
 				originCert.ServiceKey = s[1]
 			}
 		default:
 			return nil, fmt.Errorf("Unknown block %s in the certificate", block.Type)
 		}
 		block, rest = pem.Decode(rest)
 	}
 	if originCert.PrivateKey == nil {
 		return nil, fmt.Errorf("Missing private key in the certificate")
 	} else if originCert.Cert == nil {
 		return nil, fmt.Errorf("Missing certificate in the certificate")
 	} else if originCert.ZoneID == "" || originCert.ServiceKey == "" {
 		return nil, fmt.Errorf("Missing token in the certificate")
 	}
 	return &originCert, nil
 }
--- a/certutil/certutil_test.go
+++ b/certutil/certutil_test.go
@ -1,67 +0,0 @@
 package certutil
 import (
 	"fmt"
 	"io/ioutil"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestLoadOriginCert(t *testing.T) {
 	cert, err := DecodeOriginCert([]byte{})
 	assert.Equal(t, fmt.Errorf("Cannot decode empty certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err := ioutil.ReadFile("test-cert-no-key.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Equal(t, fmt.Errorf("Missing private key in the certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err = ioutil.ReadFile("test-cert-two-certificates.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Equal(t, fmt.Errorf("Found multiple certificates in the certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err = ioutil.ReadFile("test-cert-unknown-block.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Equal(t, fmt.Errorf("Unknown block RSA PRIVATE KEY in the certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err = ioutil.ReadFile("test-cert.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Nil(t, err)
 	assert.NotNil(t, cert)
 	assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
 	key := "v1.0-58bd4f9e28f7b3c28e05a35ff3e80ab4fd9644ef3fece537eb0d12e2e9258217-183442fbb0bbdb3e571558fec9b5589ebd77aafc87498ee3f09f64a4ad79ffe8791edbae08b36c1d8f1d70a8670de56922dff92b15d214a524f4ebfa1958859e-7ce80f79921312a6022c5d25e2d380f82ceaefe3fbdc43dd13b080e3ef1e26f7"
 	assert.Equal(t, key, cert.ServiceKey)
 }
 func TestNewlineArgoTunnelToken(t *testing.T) {
 	ArgoTunnelTokenTest(t, "test-argo-tunnel-cert.pem")
 }
 func TestJSONArgoTunnelToken(t *testing.T) {
 	// The given cert's Argo Tunnel Token was generated by base64 encoding this JSON:
 	// {
 	// "zoneID": "7b0a4d77dfb881c1a3b7d61ea9443e19",
 	// "serviceKey": "test-service-key",
 	// "accountID": "abcdabcdabcdabcd1234567890abcdef"
 	// }
 	ArgoTunnelTokenTest(t, "test-argo-tunnel-cert-json.pem")
 }
 func ArgoTunnelTokenTest(t *testing.T, path string) {
 	blocks, err := ioutil.ReadFile(path)
 	assert.Nil(t, err)
 	cert, err := DecodeOriginCert(blocks)
 	assert.Nil(t, err)
 	assert.NotNil(t, cert)
 	assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
 	key := "test-service-key"
 	assert.Equal(t, key, cert.ServiceKey)
 }
--- a/certutil/test-cert-no-key.pem
+++ b/certutil/test-cert-no-key.pem
@ -1,33 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
 NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
 -----END WARP TOKEN-----
--- a/certutil/test-cert-two-certificates.pem
+++ b/certutil/test-cert-two-certificates.pem
@ -1,85 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
 1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
 z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
 6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
 x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
 1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
 IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
 xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
 sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
 2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
 sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
 Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
 AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
 m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
 QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
 P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
 pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
 G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
 6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
 LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
 OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
 W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
 M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
 NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
 -----END WARP TOKEN-----
--- a/certutil/test-cert.pem
+++ b/certutil/test-cert.pem
@ -1,61 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
 1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
 z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
 6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
 x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
 1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
 IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
 xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
 sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
 2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
 sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
 Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
 AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
 m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
 QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
 P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
 pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
 G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
 6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
 LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
 OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
 W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
 M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
 NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
 -----END WARP TOKEN-----
--- a/cfapi/base_client.go
+++ b/cfapi/base_client.go
@ -104,25 +104,39 @@ func (r *RESTClient) sendRequest(method string, url url.URL, body interface{}) (
 	if bodyReader != nil {
 		req.Header.Set("Content-Type", jsonContentType)
 	}
-	req.Header.Add("X-Auth-User-Service-Key", r.authToken)
+	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", r.authToken))
 	req.Header.Add("Accept", "application/json;version=1")
 	return r.client.Do(req)
 }
-func parseResponse(reader io.Reader, data interface{}) error {
+func parseResponseEnvelope(reader io.Reader) (*response, error) {
 	// Schema for Tunnelstore responses in the v1 API.
 	// Roughly, it's a wrapper around a particular result that adds failures/errors/etc
 	var result response
 	// First, parse the wrapper and check the API call succeeded
 	if err := json.NewDecoder(reader).Decode(&result); err != nil {
-		return errors.Wrap(err, "failed to decode response")
+		return nil, errors.Wrap(err, "failed to decode response")
 	}
 	if err := result.checkErrors(); err != nil {
-		return err
+		return nil, err
 	}
 	if !result.Success {
-		return ErrAPINoSuccess
+		return nil, ErrAPINoSuccess
 	}
 	return &result, nil
 }
 func parseResponse(reader io.Reader, data interface{}) error {
 	result, err := parseResponseEnvelope(reader)
 	if err != nil {
 		return err
 	}
 	return parseResponseBody(result, data)
 }
 func parseResponseBody(result *response, data interface{}) error {
 	// At this point we know the API call succeeded, so, parse out the inner
 	// result into the datatype provided as a parameter.
 	if err := json.Unmarshal(result.Result, &data); err != nil {
@ -131,11 +145,58 @@ func parseResponse(reader io.Reader, data interface{}) error {
 	return nil
 }
 func fetchExhaustively[T any](requestFn func(int) (*http.Response, error)) ([]*T, error) {
 	page := 0
 	var fullResponse []*T
 	for {
 		page += 1
 		envelope, parsedBody, err := fetchPage[T](requestFn, page)
 		if err != nil {
 			return nil, errors.Wrap(err, fmt.Sprintf("Error Parsing page %d", page))
 		}
 		fullResponse = append(fullResponse, parsedBody...)
 		if envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount {
 			break
 		}
 	}
 	return fullResponse, nil
 }
 func fetchPage[T any](requestFn func(int) (*http.Response, error), page int) (*response, []*T, error) {
 	pageResp, err := requestFn(page)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "REST request failed")
 	}
 	defer pageResp.Body.Close()
 	if pageResp.StatusCode == http.StatusOK {
 		envelope, err := parseResponseEnvelope(pageResp.Body)
 		if err != nil {
 			return nil, nil, err
 		}
 		var parsedRspBody []*T
 		return envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody)
 	}
 	return nil, nil, errors.New(fmt.Sprintf("Failed to fetch page. Server returned: %d", pageResp.StatusCode))
 }
 type response struct {
-	Success  bool            `json:"success,omitempty"`
+	Success    bool            `json:"success,omitempty"`
-	Errors   []apiErr        `json:"errors,omitempty"`
+	Errors     []apiErr        `json:"errors,omitempty"`
-	Messages []string        `json:"messages,omitempty"`
+	Messages   []string        `json:"messages,omitempty"`
-	Result   json.RawMessage `json:"result,omitempty"`
+	Result     json.RawMessage `json:"result,omitempty"`
 	Pagination Pagination      `json:"result_info,omitempty"`
 }
 type Pagination struct {
 	Count      int `json:"count,omitempty"`
 	Page       int `json:"page,omitempty"`
 	PerPage    int `json:"per_page,omitempty"`
 	TotalCount int `json:"total_count,omitempty"`
 }
 func (r *response) checkErrors() error {
--- a/cfapi/client.go
+++ b/cfapi/client.go
@ -8,7 +8,8 @@ type TunnelClient interface {
 	CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error)
 	GetTunnel(tunnelID uuid.UUID) (*Tunnel, error)
 	GetTunnelToken(tunnelID uuid.UUID) (string, error)
-	DeleteTunnel(tunnelID uuid.UUID) error
+	GetManagementToken(tunnelID uuid.UUID) (string, error)
 	DeleteTunnel(tunnelID uuid.UUID, cascade bool) error
 	ListTunnels(filter *TunnelFilter) ([]*Tunnel, error)
 	ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)
 	CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error
@ -21,14 +22,14 @@ type HostnameClient interface {
 type IPRouteClient interface {
 	ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error)
 	AddRoute(newRoute NewRoute) (Route, error)
-	DeleteRoute(params DeleteRouteParams) error
+	DeleteRoute(id uuid.UUID) error
 	GetByIP(params GetRouteByIpParams) (DetailedRoute, error)
 }
 type VnetClient interface {
 	CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error)
 	ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error)
-	DeleteVirtualNetwork(id uuid.UUID) error
+	DeleteVirtualNetwork(id uuid.UUID, force bool) error
 	UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error
 }
--- a/cfapi/ip_route.go
+++ b/cfapi/ip_route.go
@ -75,10 +75,12 @@ type NewRoute struct {
 // MarshalJSON handles fields with non-JSON types (e.g. net.IPNet).
 func (r NewRoute) MarshalJSON() ([]byte, error) {
 	return json.Marshal(&struct {
 		Network  string     `json:"network"`
 		TunnelID uuid.UUID  `json:"tunnel_id"`
 		Comment  string     `json:"comment"`
 		VNetID   *uuid.UUID `json:"virtual_network_id,omitempty"`
 	}{
 		Network:  r.Network.String(),
 		TunnelID: r.TunnelID,
 		Comment:  r.Comment,
 		VNetID:   r.VNetID,
@ -87,6 +89,7 @@ func (r NewRoute) MarshalJSON() ([]byte, error) {
 // DetailedRoute is just a Route with some extra fields, e.g. TunnelName.
 type DetailedRoute struct {
 	ID       uuid.UUID `json:"id"`
 	Network  CIDR      `json:"network"`
 	TunnelID uuid.UUID `json:"tunnel_id"`
 	// Optional field. When unset, it means the DetailedRoute belongs to the default virtual network.
@ -115,7 +118,8 @@ func (r DetailedRoute) TableString() string {
 	}
 	return fmt.Sprintf(
-		"%s\t%s\t%s\t%s\t%s\t%s\t%s\t",
+		"%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t",
 		r.ID,
 		r.Network.String(),
 		vnetColumn,
 		r.Comment,
@ -126,12 +130,6 @@ func (r DetailedRoute) TableString() string {
 	)
 }
 type DeleteRouteParams struct {
 	Network net.IPNet
 	// Optional field. If unset, backend will assume the default vnet for the account.
 	VNetID *uuid.UUID
 }
 type GetRouteByIpParams struct {
 	Ip net.IP
 	// Optional field. If unset, backend will assume the default vnet for the account.
@ -139,26 +137,30 @@ type GetRouteByIpParams struct {
 }
 // ListRoutes calls the Tunnelstore GET endpoint for all routes under an account.
 // Due to pagination on the server side it will call the endpoint multiple times if needed.
 func (r *RESTClient) ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error) {
-	endpoint := r.baseEndpoints.accountRoutes
+	fetchFn := func(page int) (*http.Response, error) {
-	endpoint.RawQuery = filter.Encode()
+		endpoint := r.baseEndpoints.accountRoutes
-	resp, err := r.sendRequest("GET", endpoint, nil)
+		filter.Page(page)
-	if err != nil {
+		endpoint.RawQuery = filter.Encode()
-		return nil, errors.Wrap(err, "REST request failed")
+		rsp, err := r.sendRequest("GET", endpoint, nil)
 	}
 	defer resp.Body.Close()
-	if resp.StatusCode == http.StatusOK {
+		if err != nil {
-		return parseListDetailedRoutes(resp.Body)
+			return nil, errors.Wrap(err, "REST request failed")
 		}
 		if rsp.StatusCode != http.StatusOK {
 			rsp.Body.Close()
 			return nil, r.statusCodeToError("list routes", rsp)
 		}
 		return rsp, nil
 	}
-
+	return fetchExhaustively[DetailedRoute](fetchFn)
 	return nil, r.statusCodeToError("list routes", resp)
 }
 // AddRoute calls the Tunnelstore POST endpoint for a given route.
 func (r *RESTClient) AddRoute(newRoute NewRoute) (Route, error) {
 	endpoint := r.baseEndpoints.accountRoutes
-	endpoint.Path = path.Join(endpoint.Path, "network", url.PathEscape(newRoute.Network.String()))
+	endpoint.Path = path.Join(endpoint.Path)
 	resp, err := r.sendRequest("POST", endpoint, newRoute)
 	if err != nil {
 		return Route{}, errors.Wrap(err, "REST request failed")
@ -173,10 +175,9 @@ func (r *RESTClient) AddRoute(newRoute NewRoute) (Route, error) {
 }
 // DeleteRoute calls the Tunnelstore DELETE endpoint for a given route.
-func (r *RESTClient) DeleteRoute(params DeleteRouteParams) error {
+func (r *RESTClient) DeleteRoute(id uuid.UUID) error {
 	endpoint := r.baseEndpoints.accountRoutes
-	endpoint.Path = path.Join(endpoint.Path, "network", url.PathEscape(params.Network.String()))
+	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	setVnetParam(&endpoint, params.VNetID)
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
@ -211,12 +212,6 @@ func (r *RESTClient) GetByIP(params GetRouteByIpParams) (DetailedRoute, error) {
 	return DetailedRoute{}, r.statusCodeToError("get route by IP", resp)
 }
 func parseListDetailedRoutes(body io.ReadCloser) ([]*DetailedRoute, error) {
 	var routes []*DetailedRoute
 	err := parseResponse(body, &routes)
 	return routes, err
 }
 func parseRoute(body io.ReadCloser) (Route, error) {
 	var route Route
 	err := parseResponse(body, &route)
--- a/cfapi/ip_route_filter.go
+++ b/cfapi/ip_route_filter.go
@ -58,31 +58,29 @@ type IpRouteFilter struct {
 // NewIpRouteFilterFromCLI parses CLI flags to discover which filters should get applied.
 func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
-	f := &IpRouteFilter{
+	f := NewIPRouteFilter()
 		queryParams: url.Values{},
 	}
 	// Set deletion filter
 	if flag := filterIpRouteDeleted.Name; c.IsSet(flag) && c.Bool(flag) {
-		f.deleted()
+		f.Deleted()
 	} else {
-		f.notDeleted()
+		f.NotDeleted()
 	}
 	if subset, err := cidrFromFlag(c, filterSubsetIpRoute); err != nil {
 		return nil, err
 	} else if subset != nil {
-		f.networkIsSupersetOf(*subset)
+		f.NetworkIsSupersetOf(*subset)
 	}
 	if superset, err := cidrFromFlag(c, filterSupersetIpRoute); err != nil {
 		return nil, err
 	} else if superset != nil {
-		f.networkIsSupersetOf(*superset)
+		f.NetworkIsSupersetOf(*superset)
 	}
 	if comment := c.String(filterIpRouteComment.Name); comment != "" {
-		f.commentIs(comment)
+		f.CommentIs(comment)
 	}
 	if tunnelID := c.String(filterIpRouteTunnelID.Name); tunnelID != "" {
@ -90,7 +88,7 @@ func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
 		if err != nil {
 			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteTunnelID.Name)
 		}
-		f.tunnelID(u)
+		f.TunnelID(u)
 	}
 	if vnetId := c.String(filterIpRouteByVnet.Name); vnetId != "" {
@ -98,7 +96,7 @@ func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
 		if err != nil {
 			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteByVnet.Name)
 		}
-		f.vnetID(u)
+		f.VNetID(u)
 	}
 	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
@ -124,35 +122,44 @@ func cidrFromFlag(c *cli.Context, flag cli.StringFlag) (*net.IPNet, error) {
 	return subset, nil
 }
-func (f *IpRouteFilter) commentIs(comment string) {
+func NewIPRouteFilter() *IpRouteFilter {
 	values := &IpRouteFilter{queryParams: url.Values{}}
 	// always list cfd_tunnel routes only
 	values.queryParams.Set("tun_types", "cfd_tunnel")
 	return values
 }
 func (f *IpRouteFilter) CommentIs(comment string) {
 	f.queryParams.Set("comment", comment)
 }
-func (f *IpRouteFilter) notDeleted() {
+func (f *IpRouteFilter) NotDeleted() {
 	f.queryParams.Set("is_deleted", "false")
 }
-func (f *IpRouteFilter) deleted() {
+func (f *IpRouteFilter) Deleted() {
 	f.queryParams.Set("is_deleted", "true")
 }
-func (f *IpRouteFilter) networkIsSubsetOf(superset net.IPNet) {
+func (f *IpRouteFilter) NetworkIsSubsetOf(superset net.IPNet) {
 	f.queryParams.Set("network_subset", superset.String())
 }
-func (f *IpRouteFilter) networkIsSupersetOf(subset net.IPNet) {
+func (f *IpRouteFilter) NetworkIsSupersetOf(subset net.IPNet) {
 	f.queryParams.Set("network_superset", subset.String())
 }
-func (f *IpRouteFilter) existedAt(existedAt time.Time) {
+func (f *IpRouteFilter) ExistedAt(existedAt time.Time) {
 	f.queryParams.Set("existed_at", existedAt.Format(time.RFC3339))
 }
-func (f *IpRouteFilter) tunnelID(id uuid.UUID) {
+func (f *IpRouteFilter) TunnelID(id uuid.UUID) {
 	f.queryParams.Set("tunnel_id", id.String())
 }
-func (f *IpRouteFilter) vnetID(id uuid.UUID) {
+func (f *IpRouteFilter) VNetID(id uuid.UUID) {
 	f.queryParams.Set("virtual_network_id", id.String())
 }
@ -160,6 +167,10 @@ func (f *IpRouteFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f *IpRouteFilter) Page(page int) {
 	f.queryParams.Set("page", strconv.Itoa(page))
 }
 func (f IpRouteFilter) Encode() string {
 	return f.queryParams.Encode()
 }
--- a/cfapi/ip_route_test.go
+++ b/cfapi/ip_route_test.go
@ -69,6 +69,7 @@ func TestDetailedRouteJsonRoundtrip(t *testing.T) {
 	}{
 		{
 			`{
 				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
@ -80,6 +81,7 @@ func TestDetailedRouteJsonRoundtrip(t *testing.T) {
 		},
 		{
 			`{
 				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9",
@ -167,9 +169,10 @@ func TestRouteTableString(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, network)
 	r := DetailedRoute{
 		ID:      uuid.Nil,
 		Network: CIDR(*network),
 	}
 	row := r.TableString()
 	fmt.Println(row)
-	require.True(t, strings.HasPrefix(row, "1.2.3.4/32"))
+	require.True(t, strings.HasPrefix(row, "00000000-0000-0000-0000-000000000000\t1.2.3.4/32"))
 }
--- a/cfapi/tunnel.go
+++ b/cfapi/tunnel.go
@ -50,6 +50,10 @@ type newTunnel struct {
 	TunnelSecret []byte `json:"tunnel_secret"`
 }
 type managementRequest struct {
 	Resources []string `json:"resources"`
 }
 type CleanupParams struct {
 	queryParams url.Values
 }
@ -89,7 +93,7 @@ func (r *RESTClient) CreateTunnel(name string, tunnelSecret []byte) (*TunnelWith
 	switch resp.StatusCode {
 	case http.StatusOK:
 		var tunnel TunnelWithToken
-		if serdeErr := parseResponse(resp.Body, &tunnel); err != nil {
+		if serdeErr := parseResponse(resp.Body, &tunnel); serdeErr != nil {
 			return nil, serdeErr
 		}
 		return &tunnel, nil
@ -133,9 +137,36 @@ func (r *RESTClient) GetTunnelToken(tunnelID uuid.UUID) (token string, err error
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
-func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID) error {
+func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID) (token string, err error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/management", tunnelID))
 	body := &managementRequest{
 		Resources: []string{"logs"},
 	}
 	resp, err := r.sendRequest("POST", endpoint, body)
 	if err != nil {
 		return "", errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		err = parseResponse(resp.Body, &token)
 		return token, err
 	}
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
 func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
 	// Cascade will delete all tunnel dependencies (connections, routes, etc.) that
 	// are linked to the deleted tunnel.
 	if cascade {
 		endpoint.RawQuery = "cascade=true"
 	}
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
@ -146,25 +177,22 @@ func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID) error {
 }
 func (r *RESTClient) ListTunnels(filter *TunnelFilter) ([]*Tunnel, error) {
-	endpoint := r.baseEndpoints.accountLevel
+	fetchFn := func(page int) (*http.Response, error) {
-	endpoint.RawQuery = filter.encode()
+		endpoint := r.baseEndpoints.accountLevel
-	resp, err := r.sendRequest("GET", endpoint, nil)
+		filter.Page(page)
-	if err != nil {
+		endpoint.RawQuery = filter.encode()
-		return nil, errors.Wrap(err, "REST request failed")
+		rsp, err := r.sendRequest("GET", endpoint, nil)
-	}
+		if err != nil {
-	defer resp.Body.Close()
+			return nil, errors.Wrap(err, "REST request failed")
-
+		}
-	if resp.StatusCode == http.StatusOK {
+		if rsp.StatusCode != http.StatusOK {
-		return parseListTunnels(resp.Body)
+			rsp.Body.Close()
 			return nil, r.statusCodeToError("list tunnels", rsp)
 		}
 		return rsp, nil
 	}
-	return nil, r.statusCodeToError("list tunnels", resp)
+	return fetchExhaustively[Tunnel](fetchFn)
 }
 func parseListTunnels(body io.ReadCloser) ([]*Tunnel, error) {
 	var tunnels []*Tunnel
 	err := parseResponse(body, &tunnels)
 	return tunnels, err
 }
 func (r *RESTClient) ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error) {
--- a/cfapi/tunnel_filter.go
+++ b/cfapi/tunnel_filter.go
@ -50,6 +50,10 @@ func (f *TunnelFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f *TunnelFilter) Page(page int) {
 	f.queryParams.Set("page", strconv.Itoa(page))
 }
 func (f TunnelFilter) encode() string {
 	return f.queryParams.Encode()
 }
--- a/cfapi/tunnel_test.go
+++ b/cfapi/tunnel_test.go
@ -3,7 +3,6 @@ package cfapi
 import (
 	"bytes"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"reflect"
 	"strings"
@ -16,52 +15,6 @@ import (
 var loc, _ = time.LoadLocation("UTC")
 func Test_parseListTunnels(t *testing.T) {
 	type args struct {
 		body string
 	}
 	tests := []struct {
 		name    string
 		args    args
 		want    []*Tunnel
 		wantErr bool
 	}{
 		{
 			name: "empty list",
 			args: args{body: `{"success": true, "result": []}`},
 			want: []*Tunnel{},
 		},
 		{
 			name:    "success is false",
 			args:    args{body: `{"success": false, "result": []}`},
 			wantErr: true,
 		},
 		{
 			name:    "errors are present",
 			args:    args{body: `{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": []}`},
 			wantErr: true,
 		},
 		{
 			name:    "invalid response",
 			args:    args{body: `abc`},
 			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			body := ioutil.NopCloser(bytes.NewReader([]byte(tt.args.body)))
 			got, err := parseListTunnels(body)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("parseListTunnels() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("parseListTunnels() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 func Test_unmarshalTunnel(t *testing.T) {
 	type args struct {
 		body string
--- a/cfapi/virtual_network.go
+++ b/cfapi/virtual_network.go
@ -80,9 +80,16 @@ func (r *RESTClient) ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork,
 	return nil, r.statusCodeToError("list virtual networks", resp)
 }
-func (r *RESTClient) DeleteVirtualNetwork(id uuid.UUID) error {
+func (r *RESTClient) DeleteVirtualNetwork(id uuid.UUID, force bool) error {
 	endpoint := r.baseEndpoints.accountVnets
 	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	queryParams := url.Values{}
 	if force {
 		queryParams.Set("force", strconv.FormatBool(force))
 	}
 	endpoint.RawQuery = queryParams.Encode()
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@ -1,83 +1,77 @@
-pinned_go: &pinned_go go=1.17.10-1
+pinned_go: &pinned_go go-boring=1.22.10-1
 pinned_go_fips: &pinned_go_fips go-boring=1.17.9-1
 build_dir: &build_dir /cfsetup_build
-default-flavor: buster
+default-flavor: bookworm
-stretch: &stretch
+
-  build:
+bullseye: &bullseye
  build-linux:
    build_dir: *build_dir
-    builddeps:
+    builddeps: &build_deps
      - *pinned_go
      - build-essential
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared
  build-fips:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - make cloudflared
  # except FIPS (handled in github-fips-release-pkgs) and macos (handled in github-release-macos-amd64)
  github-release-pkgs:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
      - python3-dev
      - libffi-dev
-      - python3-setuptools
+      - golangci-lint
-      - python3-pip
+    pre-cache: &build_pre_cache
-      - reprepro
+      - export GOCACHE=/cfsetup_build/.cache/go-build
-      - createrepo
+      - go install golang.org/x/tools/cmd/goimports@v0.30.0
    pre-cache: &github_release_pkgs_pre_cache
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
      - pip3 install boto3==1.22.9
      - pip3 install python-gnupg==0.4.9
    post-cache:
      # Linting
      - make lint
      - make fmt-check
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  build-linux-fips:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - export FIPS=true
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  cover:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - make cover
  # except FIPS and macos
  build-linux-release:
    build_dir: *build_dir
    builddeps: &build_deps_release
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - python3-dev
      - python3-pip
      - python3-setuptools
      - wget
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . /cfsetup_build/env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
      - ./build-packages.sh
      # release the packages built and moved to /cfsetup/built_artifacts
      - make github-release-built-pkgs
      # publish packages to linux repos
      - make release-pkgs-linux
  # handle FIPS separately so that we built with gofips compiler
-  github-fips-release-pkgs:
+  build-linux-fips-release:
    build_dir: *build_dir
-    builddeps:
+    builddeps: *build_deps_release
      - *pinned_go_fips
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
    pre-cache: *github_release_pkgs_pre_cache
    post-cache:
      # same logic as above, but for FIPS packages only
      - ./build-packages-fips.sh
-      - make github-release-built-pkgs
+  generate-versions-file:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
    post-cache:
      - make generate-docker-version
  build-deb:
    build_dir: *build_dir
    builddeps: &build_deb_deps
@ -92,7 +86,7 @@ stretch: &stretch
  build-fips-internal-deb:
    build_dir: *build_dir
    builddeps: &build_fips_deb_deps
-      - *pinned_go_fips
+      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
@ -102,7 +96,7 @@ stretch: &stretch
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
-  build-fips-internal-deb-nightly:
+  build-internal-deb-nightly-amd64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
@ -112,6 +106,16 @@ stretch: &stretch
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-arm64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - export NIGHTLY=true
      # - export FIPS=true # TUN-7595
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-deb-arm64:
    build_dir: *build_dir
    builddeps: *build_deb_deps
@ -119,145 +123,135 @@ stretch: &stretch
      - export GOOS=linux
      - export GOARCH=arm64
      - make cloudflared-deb
-  publish-deb:
+  package-windows:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
      - python3-venv
    pre-cache:
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - .teamcity/package-windows.sh
  test:
    build_dir: *build_dir
    builddeps: &build_deps_tests
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - gotest-to-teamcity
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export PATH="$HOME/go/bin:$PATH"
      - make test | gotest-to-teamcity
  test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_tests
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export PATH="$HOME/go/bin:$PATH"
      - make test | gotest-to-teamcity
  component-test:
    build_dir: *build_dir
    builddeps: &build_deps_component_test
      - *pinned_go
      - python3
      - python3-pip
      - python3-setuptools
      # procps installs the ps command which is needed in test_sysv_service
      # because the init script uses ps pid to determine if the agent is
      # running
      - procps
      - python3-venv
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    post-cache: &component_test_post_cache
      - python3 -m venv env
      - . env/bin/activate
      - pip install --upgrade -r component-tests/requirements.txt
      # Creates and routes a Named Tunnel for this build. Also constructs
      # config file from env vars.
      - python3 component-tests/setup.py --type create
      - pytest component-tests -o log_cli=true --log-cli-level=INFO
      # The Named Tunnel is deleted and its route unprovisioned here.
      - python3 component-tests/setup.py --type cleanup
  component-test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_component_test
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    post-cache: *component_test_post_cache
  github-release-dryrun:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - make github-release-dryrun
  github-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - make github-release
  r2-linux-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
-      - openssh-client
+      - rpm
-    post-cache:
+      - wget
      - export GOOS=linux
      - export GOARCH=amd64
      - make publish-deb
  github-release-macos-amd64:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
-    pre-cache: &install_pygithub
+      - reprepro
-      - pip3 install pynacl==1.4.0
+      - createrepo-c
-      - pip3 install pygithub==1.55
+      - python3-venv
    post-cache:
-      - make github-mac-upload
+      - python3 -m venv env
-  test:
+      - . env/bin/activate
-    build_dir: *build_dir
+      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
-    builddeps:
+      - make r2-linux-release
      - *pinned_go
      - build-essential
      - gotest-to-teamcity
    pre-cache: &test_pre_cache
      - go get golang.org/x/tools/cmd/goimports
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export PATH="$HOME/go/bin:$PATH"
      - ./fmt-check.sh
      - make test | gotest-to-teamcity
  test-fips:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
      - gotest-to-teamcity
    pre-cache: *test_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export PATH="$HOME/go/bin:$PATH"
      - ./fmt-check.sh
      - make test | gotest-to-teamcity
  component-test:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - python3.7
      - python3-pip
      - python3-setuptools
      # procps installs the ps command which is needed in test_sysv_service because the init script
      # uses ps pid to determine if the agent is running
      - procps
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    pre-cache:
      - sudo pip3 install --upgrade -r component-tests/requirements.txt
    post-cache:
      # Creates and routes a Named Tunnel for this build. Also constructs config file from env vars.
      - python3 component-tests/setup.py --type create
      - pytest component-tests -o log_cli=true --log-cli-level=INFO
      # The Named Tunnel is deleted and its route unprovisioned here.
      - python3 component-tests/setup.py --type cleanup
  update-homebrew:
    builddeps:
      - openssh-client
      - s3cmd
      - jq
      - build-essential
    post-cache:
      - .teamcity/update-homebrew.sh
      - .teamcity/update-homebrew-core.sh
  github-message-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
    pre-cache: *install_pygithub
    post-cache:
      - make github-message
  build-junos:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3
      - genisoimage
      - jetez
    pre-cache:
      - ln -s /usr/bin/genisoimage /usr/bin/mkisofs
    post-cache:
      - export GOOS=freebsd
      - export GOARCH=amd64
      - make cloudflared-junos
  publish-junos:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3
      - genisoimage
      - jetez
      - s4cmd
    pre-cache:
      - ln -s /usr/bin/genisoimage /usr/bin/mkisofs
    post-cache:
      - export GOOS=freebsd
      - export GOARCH=amd64
      - make publish-cloudflared-junos
-buster: *stretch
+bookworm: *bullseye
-bullseye: *stretch
+trixie: *bullseye
 centos-7:
  publish-rpm:
    build_dir: *build_dir
    builddeps: &el7_builddeps
      - https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    pre-cache:
      - yum install -y fakeroot
      - yum upgrade -y binutils-2.27-44.base.el7.x86_64
      - wget https://go.dev/dl/go1.17.10.linux-amd64.tar.gz -P /tmp/
      - tar -C /usr/local -xzf /tmp/go1.17.10.linux-amd64.tar.gz
    post-cache:
      - export PATH=$PATH:/usr/local/go/bin
      - export GOOS=linux
      - export GOARCH=amd64
      - make publish-rpm
--- a/cloudflared.wxs
+++ b/cloudflared.wxs
@ -1,62 +1,64 @@
 <?xml version="1.0"?>
-<?if $(var.Platform)="x86"?>
+<?if $(var.Platform)="x64" ?>
    <?define Program_Files="ProgramFilesFolder"?>
 <?else?>
    <?define Program_Files="ProgramFiles64Folder"?>
-<?endif?>
+<?else ?>
    <?define Program_Files="ProgramFilesFolder"?>
 <?endif ?>
 <?ifndef var.Version?>
    <?error Undefined Version variable?>
-<?endif?>
+<?endif ?>
 <?ifndef var.Path?>
    <?error Undefined Path variable?>
-<?endif?>
+<?endif ?>
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
-    <Product Id="35e5e858-9372-4449-bf73-1cd6f7267128" 
+    <Product Id="*"
        UpgradeCode="23f90fdd-9328-47ea-ab52-5380855a4b12"
        Name="cloudflared"
        Version="$(var.Version)"
        Manufacturer="cloudflare"
        Language="1033">
-      <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" InstallScope="perMachine"/>
+        <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" InstallScope="perMachine" />
-      <Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
+        <Media Id="1" Cabinet="product.cab" EmbedCab="yes" />
-      <Upgrade Id="23f90fdd-9328-47ea-ab52-5380855a4b12">
+        <MajorUpgrade DowngradeErrorMessage="A later version of [ProductName] is already installed. Setup will now exit." />
         <UpgradeVersion Minimum="$(var.Version)" OnlyDetect="yes" Property="NEWERVERSIONDETECTED"/>
         <UpgradeVersion Minimum="2020.8.0" Maximum="$(var.Version)" IncludeMinimum="yes" IncludeMaximum="no"
                         Property="OLDERVERSIONBEINGUPGRADED"/>
      </Upgrade>
      <Condition Message="A newer version of this software is already installed.">NOT NEWERVERSIONDETECTED</Condition>
-    <Directory Id="TARGETDIR" Name="SourceDir">
+        <Upgrade Id="23f90fdd-9328-47ea-ab52-5380855a4b12">
-        <!--This specifies where the cloudflared.exe is moved to in the windows Operation System-->
+            <UpgradeVersion Minimum="$(var.Version)" OnlyDetect="yes" Property="NEWERVERSIONDETECTED" />
-        <Directory Id="$(var.Program_Files)">
+            <UpgradeVersion Minimum="2020.8.0" Maximum="$(var.Version)" IncludeMinimum="yes" IncludeMaximum="no"
-            <Directory Id="INSTALLDIR" Name="cloudflared">
+                Property="OLDERVERSIONBEINGUPGRADED" />
-                <Component Id="ApplicationFiles" Guid="35e5e858-9372-4449-bf73-1cd6f7267128">
+        </Upgrade>
-                    <File Id="ApplicationFile0" Source="$(var.Path)"/>
+        <Condition Message="A newer version of this software is already installed.">NOT NEWERVERSIONDETECTED</Condition>
-                </Component>
+
        <Directory Id="TARGETDIR" Name="SourceDir">
            <!--This specifies where the cloudflared.exe is moved to in the windows Operation System-->
            <Directory Id="$(var.Program_Files)">
                <Directory Id="INSTALLDIR" Name="cloudflared">
                    <Component Id="ApplicationFiles" Guid="35e5e858-9372-4449-bf73-1cd6f7267128">
                        <File Id="ApplicationFile0" Source="$(var.Path)" />
                    </Component>
                </Directory>
            </Directory>
            <Component Id="ENVS" Guid="6bb74449-d10d-4f4a-933e-6fc9fa006eae">
                <!--Set the cloudflared bin location to the Path Environment Variable-->
                <Environment Id="ENV0"
                    Name="PATH"
                    Value="[INSTALLDIR]"
                    Permanent="no"
                    Part="last"
                    Action="create"
                    System="yes" />
            </Component>
        </Directory>
        <Component Id="ENVS" Guid="6bb74449-d10d-4f4a-933e-6fc9fa006eae">
        <!--Set the cloudflared bin location to the Path Environment Variable-->
         <Environment Id="ENV0"
           Name="PATH"
           Value="[INSTALLDIR]."
           Permanent="no"
           Part="last"
           Action="create"
           System="yes" />
        </Component>
    </Directory>
-    <Feature Id='Complete' Level='1'>
+        <Feature Id='Complete' Level='1'>
-      <ComponentRef Id="ENVS"/>
+            <ComponentRef Id="ENVS" />
-      <ComponentRef Id='ApplicationFiles' />
+            <ComponentRef Id='ApplicationFiles' />
-    </Feature>
+        </Feature>
    </Product>
 </Wix>
--- a/cmd/cloudflared/access/carrier.go
+++ b/cmd/cloudflared/access/carrier.go
@ -3,6 +3,7 @@ package access
 import (
 	"crypto/tls"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
@ -13,6 +14,7 @@ import (
 	"github.com/cloudflare/cloudflared/carrier"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/stream"
 	"github.com/cloudflare/cloudflared/validation"
 )
@ -38,6 +40,7 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	if forwarder.TokenSecret != "" {
 		headers.Set(cfAccessClientSecretHeader, forwarder.TokenSecret)
 	}
 	headers.Set("User-Agent", userAgent)
 	carrier.SetBastionDest(headers, forwarder.Destination)
@ -58,31 +61,37 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 // useful for proxying other protocols (like ssh) over websockets
 // (which you can put Access in front of)
 func ssh(c *cli.Context) error {
-	log := logger.CreateSSHLoggerFromContext(c, logger.EnableTerminalLog)
+	// If not running as a forwarder, disable terminal logs as it collides with the stdin/stdout of the parent process
 	outputTerminal := logger.DisableTerminalLog
 	if c.IsSet(sshURLFlag) {
 		outputTerminal = logger.EnableTerminalLog
 	}
 	log := logger.CreateSSHLoggerFromContext(c, outputTerminal)
 	// get the hostname from the cmdline and error out if its not provided
 	rawHostName := c.String(sshHostnameFlag)
-	hostname, err := validation.ValidateHostname(rawHostName)
+	url, err := parseURL(rawHostName)
-	if err != nil || rawHostName == "" {
+	if err != nil {
 		log.Err(err).Send()
 		return cli.ShowCommandHelp(c, "ssh")
 	}
 	originURL := ensureURLScheme(hostname)
 	// get the headers from the cmdline and add them
-	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
+	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
 		headers.Set(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
 	if c.IsSet(sshTokenSecretFlag) {
 		headers.Set(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
 	headers.Set("User-Agent", userAgent)
 	carrier.SetBastionDest(headers, c.String(sshDestinationFlag))
 	options := &carrier.StartOptions{
-		OriginURL: originURL,
+		OriginURL: url.String(),
 		Headers:   headers,
-		Host:      hostname,
+		Host:      url.Host,
 	}
 	if connectTo := c.String(sshConnectTo); connectTo != "" {
@ -95,7 +104,7 @@ func ssh(c *cli.Context) error {
 		case 3:
 			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
 			options.TLSClientConfig = &tls.Config{
-				InsecureSkipVerify: true,
+				InsecureSkipVerify: true, // #nosec G402
 				ServerName:         parts[0],
 			}
 			log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
@ -121,16 +130,16 @@ func ssh(c *cli.Context) error {
 		return err
 	}
-	return carrier.StartClient(wsConn, &carrier.StdinoutStream{}, options)
+	var s io.ReadWriter
-}
+	s = &carrier.StdinoutStream{}
-
+	if c.IsSet(sshDebugStream) {
-func buildRequestHeaders(values []string) http.Header {
+		maxMessages := c.Uint64(sshDebugStream)
-	headers := make(http.Header)
+		if maxMessages == 0 {
-	for _, valuePair := range values {
+			// default to 10 if provided but unset
-		split := strings.Split(valuePair, ":")
+			maxMessages = 10
 		if len(split) > 1 {
 			headers.Add(strings.TrimSpace(split[0]), strings.TrimSpace(split[1]))
 		}
 		logger := log.With().Str("host", url.Host).Logger()
 		s = stream.NewDebugStream(s, &logger, maxMessages)
 	}
-	return headers
+	return carrier.StartClient(wsConn, s, options)
 }
--- a/cmd/cloudflared/access/carrier_test.go
+++ b/cmd/cloudflared/access/carrier_test.go
@ -1,18 +0,0 @@
 package access
 import (
 	"net/http"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestBuildRequestHeaders(t *testing.T) {
 	headers := make(http.Header)
 	headers.Add("client", "value")
 	headers.Add("secret", "safe-value")
 	values := buildRequestHeaders([]string{"client: value", "secret: safe-value", "trash"})
 	assert.Equal(t, headers.Get("client"), values.Get("client"))
 	assert.Equal(t, headers.Get("secret"), values.Get("secret"))
 }
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@ -11,7 +11,7 @@ import (
 	"text/template"
 	"time"
-	"github.com/getsentry/raven-go"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
@ -19,6 +19,7 @@ import (
 	"github.com/cloudflare/cloudflared/carrier"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/sshgen"
 	"github.com/cloudflare/cloudflared/token"
@ -26,6 +27,8 @@ import (
 )
 const (
 	appURLFlag         = "app"
 	loginQuietFlag     = "quiet"
 	sshHostnameFlag    = "hostname"
 	sshDestinationFlag = "destination"
 	sshURLFlag         = "url"
@ -34,19 +37,17 @@ const (
 	sshTokenSecretFlag = "service-token-secret"
 	sshGenCertFlag     = "short-lived-cert"
 	sshConnectTo       = "connect-to"
 	sshDebugStream     = "debug-stream"
 	sshConfigTemplate  = `
 Add to your {{.Home}}/.ssh/config:
 Host {{.Hostname}}
 {{- if .ShortLivedCerts}}
-  ProxyCommand bash -c '{{.Cloudflared}} access ssh-gen --hostname %h; ssh -tt %r@cfpipe-{{.Hostname}} >&2 <&1'
+Match host {{.Hostname}} exec "{{.Cloudflared}} access ssh-gen --hostname %h"
 Host cfpipe-{{.Hostname}}
  HostName {{.Hostname}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
-  IdentityFile ~/.cloudflared/{{.Hostname}}-cf_key
+  IdentityFile ~/.cloudflared/%h-cf_key
-  CertificateFile ~/.cloudflared/{{.Hostname}}-cf_key-cert.pub
+  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
 {{- else}}
 Host {{.Hostname}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
@ -84,14 +85,29 @@ func Commands() []*cli.Command {
 			applications from the command line.`,
 			Subcommands: []*cli.Command{
 				{
-					Name:   "login",
+					Name:      "login",
-					Action: cliutil.Action(login),
+					Action:    cliutil.Action(login),
-					Usage:  "login <url of access application>",
+					Usage:     "login <url of access application>",
 					ArgsUsage: "url of Access application",
 					Description: `The login subcommand initiates an authentication flow with your identity provider.
 					The subcommand will launch a browser. For headless systems, a url is provided.
 					Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
 					scoped to your identity, the application you intend to reach, and valid for a session duration set by your
 					administrator. cloudflared stores the token in local storage.`,
 					Flags: []cli.Flag{
 						&cli.BoolFlag{
 							Name:    loginQuietFlag,
 							Aliases: []string{"q"},
 							Usage:   "do not print the jwt to the command line",
 						},
 						&cli.BoolFlag{
 							Name:  "no-verbose",
 							Usage: "print only the jwt to stdout",
 						},
 						&cli.StringFlag{
 							Name: appURLFlag,
 						},
 					},
 				},
 				{
 					Name:   "curl",
@ -105,12 +121,12 @@ func Commands() []*cli.Command {
 				{
 					Name:        "token",
 					Action:      cliutil.Action(generateToken),
-					Usage:       "token -app=<url of access application>",
+					Usage:       "token <url of access application>",
 					ArgsUsage:   "url of Access application",
 					Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
-							Name: "app",
+							Name: appURLFlag,
 						},
 					},
 				},
@ -126,15 +142,18 @@ func Commands() []*cli.Command {
 							Name:    sshHostnameFlag,
 							Aliases: []string{"tunnel-host", "T"},
 							Usage:   "specify the hostname of your application.",
 							EnvVars: []string{"TUNNEL_SERVICE_HOSTNAME"},
 						},
 						&cli.StringFlag{
-							Name:  sshDestinationFlag,
+							Name:    sshDestinationFlag,
-							Usage: "specify the destination address of your SSH server.",
+							Usage:   "specify the destination address of your SSH server.",
 							EnvVars: []string{"TUNNEL_SERVICE_DESTINATION"},
 						},
 						&cli.StringFlag{
 							Name:    sshURLFlag,
 							Aliases: []string{"listener", "L"},
 							Usage:   "specify the host:port to forward data to Cloudflare edge.",
 							EnvVars: []string{"TUNNEL_SERVICE_URL"},
 						},
 						&cli.StringSliceFlag{
 							Name:    sshHeaderFlag,
@ -154,12 +173,15 @@ func Commands() []*cli.Command {
 							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"},
 						},
 						&cli.StringFlag{
-							Name:    logger.LogSSHDirectoryFlag,
+							Name:  cfdflags.LogFile,
-							Aliases: []string{"logfile"}, //added to match the tunnel side
+							Usage: "Save application log to this file for reporting issues.",
 							Usage:   "Save application log to this directory for reporting issues.",
 						},
 						&cli.StringFlag{
-							Name:    logger.LogSSHLevelFlag,
+							Name:  cfdflags.LogDirectory,
 							Usage: "Save application log to this directory for reporting issues.",
 						},
 						&cli.StringFlag{
 							Name:    cfdflags.LogLevelSSH,
 							Aliases: []string{"loglevel"}, //added to match the tunnel side
 							Usage:   "Application logging level {debug, info, warn, error, fatal}. ",
 						},
@ -168,6 +190,11 @@ func Commands() []*cli.Command {
 							Hidden: true,
 							Usage:  "Connect to alternate location for testing, value is host, host:port, or sni:port:host",
 						},
 						&cli.Uint64Flag{
 							Name:   sshDebugStream,
 							Hidden: true,
 							Usage:  "Writes up-to the max provided stream payloads to the logger as debug statements.",
 						},
 					},
 				},
 				{
@ -205,16 +232,18 @@ func Commands() []*cli.Command {
 // login pops up the browser window to do the actual login and JWT generation
 func login(c *cli.Context) error {
-	if err := raven.SetDSN(sentryDSN); err != nil {
+	err := sentry.Init(sentry.ClientOptions{
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
-	args := c.Args()
+	appURL, err := getAppURLFromArgs(c)
-	rawURL := ensureURLScheme(args.First())
+	if err != nil {
 	appURL, err := url.Parse(rawURL)
 	if args.Len() < 1 || err != nil {
 		log.Error().Msg("Please provide the url of the Access application")
 		return err
 	}
@ -237,24 +266,29 @@ func login(c *cli.Context) error {
 		fmt.Fprintln(os.Stderr, "token for provided application was empty.")
 		return errors.New("empty application token")
 	}
-	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
+
 	if c.Bool(loginQuietFlag) {
 		return nil
 	}
 	// Chatty by default for backward compat. The new --app flag
 	// is an implicit opt-out of the backwards-compatible chatty output.
 	if c.Bool("no-verbose") || c.IsSet(appURLFlag) {
 		fmt.Fprint(os.Stdout, cfdToken)
 	} else {
 		fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
 	}
 	return nil
 }
 // ensureURLScheme prepends a URL with https:// if it doesn't have a scheme. http:// URLs will not be converted.
 func ensureURLScheme(url string) string {
 	url = strings.Replace(strings.ToLower(url), "http://", "https://", 1)
 	if !strings.HasPrefix(url, "https://") {
 		url = fmt.Sprintf("https://%s", url)
 	}
 	return url
 }
 // curl provides a wrapper around curl, passing Access JWT along in request
 func curl(c *cli.Context) error {
-	if err := raven.SetDSN(sentryDSN); err != nil {
+	err := sentry.Init(sentry.ClientOptions{
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
@ -275,6 +309,13 @@ func curl(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
 	// Verify that the existing token is still good; if not fetch a new one
 	if err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {
 		log.Err(err).Msg("Could not verify token")
 		return err
 	}
 	tok, err := token.GetAppTokenIfExists(appInfo)
 	if err != nil || tok == "" {
 		if allowRequest {
@ -296,12 +337,13 @@ func curl(c *cli.Context) error {
 // run kicks off a shell task and pipe the results to the respective std pipes
 func run(cmd string, args ...string) error {
 	c := exec.Command(cmd, args...)
 	c.Stdin = os.Stdin
 	stderr, err := c.StderrPipe()
 	if err != nil {
 		return err
 	}
 	go func() {
-		io.Copy(os.Stderr, stderr)
+		_, _ = io.Copy(os.Stderr, stderr)
 	}()
 	stdout, err := c.StdoutPipe()
@ -309,18 +351,33 @@ func run(cmd string, args ...string) error {
 		return err
 	}
 	go func() {
-		io.Copy(os.Stdout, stdout)
+		_, _ = io.Copy(os.Stdout, stdout)
 	}()
 	return c.Run()
 }
 func getAppURLFromArgs(c *cli.Context) (*url.URL, error) {
 	var appURLStr string
 	args := c.Args()
 	if args.Len() < 1 {
 		appURLStr = c.String(appURLFlag)
 	} else {
 		appURLStr = args.First()
 	}
 	return parseURL(appURLStr)
 }
 // token dumps provided token to stdout
 func generateToken(c *cli.Context) error {
-	if err := raven.SetDSN(sentryDSN); err != nil {
+	err := sentry.Init(sentry.ClientOptions{
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
-	appURL, err := url.Parse(ensureURLScheme(c.String("app")))
+	appURL, err := getAppURLFromArgs(c)
-	if err != nil || c.NumFlags() < 1 {
+	if err != nil {
 		fmt.Fprintln(os.Stderr, "Please provide a url.")
 		return err
 	}
@ -372,7 +429,7 @@ func sshGen(c *cli.Context) error {
 		return cli.ShowCommandHelp(c, "ssh-gen")
 	}
-	originURL, err := url.Parse(ensureURLScheme(hostname))
+	originURL, err := parseURL(hostname)
 	if err != nil {
 		return err
 	}
@ -451,6 +508,11 @@ func processURL(s string) (*url.URL, error) {
 // cloudflaredPath pulls the full path of cloudflared on disk
 func cloudflaredPath() string {
 	path, err := os.Executable()
 	if err == nil && isFileThere(path) {
 		return path
 	}
 	for _, p := range strings.Split(os.Getenv("PATH"), ":") {
 		path := fmt.Sprintf("%s/%s", p, "cloudflared")
 		if isFileThere(path) {
@ -470,10 +532,10 @@ func isFileThere(candidate string) bool {
 }
 // verifyTokenAtEdge checks for a token on disk, or generates a new one.
-// Then makes a request to to the origin with the token to ensure it is valid.
+// Then makes a request to the origin with the token to ensure it is valid.
 // Returns nil if token is valid.
 func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
-	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
+	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
 		headers.Add(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
@ -508,6 +570,11 @@ func isTokenValid(options *carrier.StartOptions, log *zerolog.Logger) (bool, err
 		return false, errors.Wrap(err, "Could not create access request")
 	}
 	req.Header.Set("User-Agent", userAgent)
 	query := req.URL.Query()
 	query.Set("cloudflared_token_check", "true")
 	req.URL.RawQuery = query.Encode()
 	// Do not follow redirects
 	client := &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
--- a/cmd/cloudflared/access/cmd_test.go
+++ b/cmd/cloudflared/access/cmd_test.go
@ -1,25 +0,0 @@
 package access
 import "testing"
 func Test_ensureURLScheme(t *testing.T) {
 	type args struct {
 		url string
 	}
 	tests := []struct {
 		name string
 		args args
 		want string
 	}{
 		{"no scheme", args{"localhost:123"}, "https://localhost:123"},
 		{"http scheme", args{"http://test"}, "https://test"},
 		{"https scheme", args{"https://test"}, "https://test"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if got := ensureURLScheme(tt.args.url); got != tt.want {
 				t.Errorf("ensureURLScheme() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
--- a/cmd/cloudflared/access/validation.go
+++ b/cmd/cloudflared/access/validation.go
@ -0,0 +1,55 @@
 package access
 import (
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
 	"golang.org/x/net/http/httpguts"
 )
 // parseRequestHeaders will take user-provided header values as strings "Content-Type: application/json" and create
 // a http.Header object.
 func parseRequestHeaders(values []string) http.Header {
 	headers := make(http.Header)
 	for _, valuePair := range values {
 		header, value, found := strings.Cut(valuePair, ":")
 		if found {
 			headers.Add(strings.TrimSpace(header), strings.TrimSpace(value))
 		}
 	}
 	return headers
 }
 // parseHostname will attempt to convert a user provided URL string into a string with some light error checking on
 // certain expectations from the URL.
 // Will convert all HTTP URLs to HTTPS
 func parseURL(input string) (*url.URL, error) {
 	if input == "" {
 		return nil, errors.New("no input provided")
 	}
 	if !strings.HasPrefix(input, "https://") && !strings.HasPrefix(input, "http://") {
 		input = fmt.Sprintf("https://%s", input)
 	}
 	url, err := url.ParseRequestURI(input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse as URL: %w", err)
 	}
 	if url.Scheme != "https" {
 		url.Scheme = "https"
 	}
 	if url.Host == "" {
 		return nil, errors.New("failed to parse Host")
 	}
 	host, err := httpguts.PunycodeHostPort(url.Host)
 	if err != nil || host == "" {
 		return nil, err
 	}
 	if !httpguts.ValidHostHeader(host) {
 		return nil, errors.New("invalid Host provided")
 	}
 	url.Host = host
 	return url, nil
 }
--- a/cmd/cloudflared/access/validation_test.go
+++ b/cmd/cloudflared/access/validation_test.go
@ -0,0 +1,80 @@
 package access
 import (
 	"fmt"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestParseRequestHeaders(t *testing.T) {
 	values := parseRequestHeaders([]string{"client: value", "secret: safe-value", "trash", "cf-trace-id: 000:000:0:1:asd"})
 	assert.Len(t, values, 3)
 	assert.Equal(t, "value", values.Get("client"))
 	assert.Equal(t, "safe-value", values.Get("secret"))
 	assert.Equal(t, "000:000:0:1:asd", values.Get("cf-trace-id"))
 }
 func TestParseURL(t *testing.T) {
 	schemes := []string{
 		"http://",
 		"https://",
 		"",
 	}
 	hosts := []struct {
 		input    string
 		expected string
 	}{
 		{"localhost", "localhost"},
 		{"127.0.0.1", "127.0.0.1"},
 		{"127.0.0.1:9090", "127.0.0.1:9090"},
 		{"::1", "::1"},
 		{"::1:8080", "::1:8080"},
 		{"[::1]", "[::1]"},
 		{"[::1]:8080", "[::1]:8080"},
 		{":8080", ":8080"},
 		{"example.com", "example.com"},
 		{"hello.example.com", "hello.example.com"},
 		{"bücher.example.com", "xn--bcher-kva.example.com"},
 	}
 	paths := []string{
 		"",
 		"/test",
 		"/example.com?qwe=123",
 	}
 	for i, scheme := range schemes {
 		for j, host := range hosts {
 			for k, path := range paths {
 				t.Run(fmt.Sprintf("%d_%d_%d", i, j, k), func(t *testing.T) {
 					input := fmt.Sprintf("%s%s%s", scheme, host.input, path)
 					expected := fmt.Sprintf("%s%s%s", "https://", host.expected, path)
 					url, err := parseURL(input)
 					assert.NoError(t, err, "input: %s\texpected: %s", input, expected)
 					assert.Equal(t, expected, url.String())
 					assert.Equal(t, host.expected, url.Host)
 					assert.Equal(t, "https", url.Scheme)
 				})
 			}
 		}
 	}
 	t.Run("no input", func(t *testing.T) {
 		_, err := parseURL("")
 		assert.ErrorContains(t, err, "no input provided")
 	})
 	t.Run("missing host", func(t *testing.T) {
 		_, err := parseURL("https:///host")
 		assert.ErrorContains(t, err, "failed to parse Host")
 	})
 	t.Run("invalid path only", func(t *testing.T) {
 		_, err := parseURL("/host")
 		assert.ErrorContains(t, err, "failed to parse Host")
 	})
 	t.Run("invalid parse URL", func(t *testing.T) {
 		_, err := parseURL("https://host\\host")
 		assert.ErrorContains(t, err, "failed to parse as URL")
 	})
 }
--- a/cmd/cloudflared/cliutil/build_info.go
+++ b/cmd/cloudflared/cliutil/build_info.go
@ -1,7 +1,10 @@
 package cliutil
 import (
 	"crypto/sha256"
 	"fmt"
 	"io"
 	"os"
 	"runtime"
 	"github.com/rs/zerolog"
@ -13,6 +16,7 @@ type BuildInfo struct {
 	GoArch             string `json:"go_arch"`
 	BuildType          string `json:"build_type"`
 	CloudflaredVersion string `json:"cloudflared_version"`
 	Checksum           string `json:"checksum"`
 }
 func GetBuildInfo(buildType, version string) *BuildInfo {
@ -22,11 +26,12 @@ func GetBuildInfo(buildType, version string) *BuildInfo {
 		GoArch:             runtime.GOARCH,
 		BuildType:          buildType,
 		CloudflaredVersion: version,
 		Checksum:           currentBinaryChecksum(),
 	}
 }
 func (bi *BuildInfo) Log(log *zerolog.Logger) {
-	log.Info().Msgf("Version %s", bi.CloudflaredVersion)
+	log.Info().Msgf("Version %s (Checksum %s)", bi.CloudflaredVersion, bi.Checksum)
 	if bi.BuildType != "" {
 		log.Info().Msgf("Built%s", bi.GetBuildTypeMsg())
 	}
@ -47,3 +52,32 @@ func (bi *BuildInfo) GetBuildTypeMsg() string {
 	}
 	return fmt.Sprintf(" with %s", bi.BuildType)
 }
 func (bi *BuildInfo) UserAgent() string {
 	return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
 }
 // FileChecksum opens a file and returns the SHA256 checksum.
 func FileChecksum(filePath string) (string, error) {
 	f, err := os.Open(filePath)
 	if err != nil {
 		return "", err
 	}
 	defer f.Close()
 	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
 		return "", err
 	}
 	return fmt.Sprintf("%x", h.Sum(nil)), nil
 }
 func currentBinaryChecksum() string {
 	currentPath, err := os.Executable()
 	if err != nil {
 		return ""
 	}
 	sum, _ := FileChecksum(currentPath)
 	return sum
 }
--- a/cmd/cloudflared/cliutil/logger.go
+++ b/cmd/cloudflared/cliutil/logger.go
@ -0,0 +1,51 @@
 package cliutil
 import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 )
 var (
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
 )
 func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    cfdflags.LogLevel,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    cfdflags.TransportLogLevel,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
 			EnvVars: []string{"TUNNEL_PROTO_LOGLEVEL", "TUNNEL_TRANSPORT_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    cfdflags.LogFile,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    cfdflags.LogDirectory,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    cfdflags.TraceOutput,
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
 	}
 }
--- a/cmd/cloudflared/flags/flags.go
+++ b/cmd/cloudflared/flags/flags.go
@ -0,0 +1,155 @@
 package flags
 const (
 	// HaConnections specifies how many connections to make to the edge
 	HaConnections = "ha-connections"
 	// SshPort is the port on localhost the cloudflared ssh server will run on
 	SshPort = "local-ssh-port"
 	// SshIdleTimeout defines the duration a SSH session can remain idle before being closed
 	SshIdleTimeout = "ssh-idle-timeout"
 	// SshMaxTimeout defines the max duration a SSH session can remain open for
 	SshMaxTimeout = "ssh-max-timeout"
 	// SshLogUploaderBucketName is the bucket name to use for the SSH log uploader
 	SshLogUploaderBucketName = "bucket-name"
 	// SshLogUploaderRegionName is the AWS region name to use for the SSH log uploader
 	SshLogUploaderRegionName = "region-name"
 	// SshLogUploaderSecretID is the Secret id of SSH log uploader
 	SshLogUploaderSecretID = "secret-id"
 	// SshLogUploaderAccessKeyID is the Access key id of SSH log uploader
 	SshLogUploaderAccessKeyID = "access-key-id"
 	// SshLogUploaderSessionTokenID is the Session token of SSH log uploader
 	SshLogUploaderSessionTokenID = "session-token"
 	// SshLogUploaderS3URL is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)
 	SshLogUploaderS3URL = "s3-url-host"
 	// HostKeyPath is the path of the dir to save SSH host keys too
 	HostKeyPath = "host-key-path"
 	// RpcTimeout is how long to wait for a Capnp RPC request to the edge
 	RpcTimeout = "rpc-timeout"
 	// WriteStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).
 	WriteStreamTimeout = "write-stream-timeout"
 	// QuicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
 	// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
 	// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
 	QuicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
 	// QuicConnLevelFlowControlLimit controls the max flow control limit allocated for a QUIC connection. This controls how much data is the
 	// receiver willing to buffer. Once the limit is reached, the sender will send a DATA_BLOCKED frame to indicate it has more data to write,
 	// but it's blocked by flow control
 	QuicConnLevelFlowControlLimit = "quic-connection-level-flow-control-limit"
 	// QuicStreamLevelFlowControlLimit is similar to quicConnLevelFlowControlLimit but for each QUIC stream. When the sender is blocked,
 	// it will send a STREAM_DATA_BLOCKED frame
 	QuicStreamLevelFlowControlLimit = "quic-stream-level-flow-control-limit"
 	// Ui is to enable launching cloudflared in interactive UI mode
 	Ui = "ui"
 	// ConnectorLabel is the command line flag to give a meaningful label to a specific connector
 	ConnectorLabel = "label"
 	// MaxActiveFlows is the command line flag to set the maximum number of flows that cloudflared can be processing at the same time
 	MaxActiveFlows = "max-active-flows"
 	// Tag is the command line flag to set custom tags used to identify this tunnel via added HTTP request headers to the origin
 	Tag = "tag"
 	// Protocol is the command line flag to set the protocol to use to connect to the Cloudflare Edge
 	Protocol = "protocol"
 	// PostQuantum is the command line flag to force the connection to Cloudflare Edge to use Post Quantum cryptography
 	PostQuantum = "post-quantum"
 	// Features is the command line flag to opt into various features that are still being developed or tested
 	Features = "features"
 	// EdgeIpVersion is the command line flag to set the Cloudflare Edge IP address version to connect with
 	EdgeIpVersion = "edge-ip-version"
 	// EdgeBindAddress is the command line flag to bind to IP address for outgoing connections to Cloudflare Edge
 	EdgeBindAddress = "edge-bind-address"
 	// Force is the command line flag to specify if you wish to force an action
 	Force = "force"
 	// Edge is the command line flag to set the address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment
 	Edge = "edge"
 	// Region is the command line flag to set the Cloudflare Edge region to connect to
 	Region = "region"
 	// IsAutoUpdated is the command line flag to signal the new process that cloudflared has been autoupdated
 	IsAutoUpdated = "is-autoupdated"
 	// LBPool is the command line flag to set the name of the load balancing pool to add this origin to
 	LBPool = "lb-pool"
 	// Retries is the command line flag to set the maximum number of retries for connection/protocol errors
 	Retries = "retries"
 	// MaxEdgeAddrRetries is the command line flag to set the maximum number of times to retry on edge addrs before falling back to a lower protocol
 	MaxEdgeAddrRetries = "max-edge-addr-retries"
 	// GracePeriod is the command line flag to set the maximum amount of time that cloudflared waits to shut down if it is still serving requests
 	GracePeriod = "grace-period"
 	// ICMPV4Src is the command line flag to set the source address and the interface name to send/receive ICMPv4 messages
 	ICMPV4Src = "icmpv4-src"
 	// ICMPV6Src is the command line flag to set the source address and the interface name to send/receive ICMPv6 messages
 	ICMPV6Src = "icmpv6-src"
 	// ProxyDns is the command line flag to run DNS server over HTTPS
 	ProxyDns = "proxy-dns"
 	// Name is the command line to set the name of the tunnel
 	Name = "name"
 	// AutoUpdateFreq is the command line for setting the frequency that cloudflared checks for updates
 	AutoUpdateFreq = "autoupdate-freq"
 	// NoAutoUpdate is the command line flag to disable cloudflared from checking for updates
 	NoAutoUpdate = "no-autoupdate"
 	// LogLevel is the command line flag for the cloudflared logging level
 	LogLevel = "loglevel"
 	// LogLevelSSH is the command line flag for the cloudflared ssh logging level
 	LogLevelSSH = "log-level"
 	// TransportLogLevel is the command line flag for the transport logging level
 	TransportLogLevel = "transport-loglevel"
 	// LogFile is the command line flag to define the file where application logs will be stored
 	LogFile = "logfile"
 	// LogDirectory is the command line flag to define the directory where application logs will be stored.
 	LogDirectory = "log-directory"
 	// TraceOutput is the command line flag to set the name of trace output file
 	TraceOutput = "trace-output"
 	// OriginCert is the command line flag to define the path for the origin certificate used by cloudflared
 	OriginCert = "origincert"
 	// Metrics is the command line flag to define the address of the metrics server
 	Metrics = "metrics"
 	// MetricsUpdateFreq is the command line flag to define how frequently tunnel metrics are updated
 	MetricsUpdateFreq = "metrics-update-freq"
 	// ApiURL is the command line flag used to define the base URL of the API
 	ApiURL = "api-url"
 )
--- a/cmd/cloudflared/generic_service.go
+++ b/cmd/cloudflared/generic_service.go
@ -1,14 +1,40 @@
 //go:build !windows && !darwin && !linux
 // +build !windows,!darwin,!linux
 package main
 import (
 	"fmt"
 	"os"
 	cli "github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared system service (not supported on this operating system)",
 		Subcommands: []*cli.Command{
 			{
 				Name:   "install",
 				Usage:  "Install cloudflared as a system service (not supported on this operating system)",
 				Action: cliutil.ConfiguredAction(installGenericService),
 			},
 			{
 				Name:   "uninstall",
 				Usage:  "Uninstall the cloudflared service (not supported on this operating system)",
 				Action: cliutil.ConfiguredAction(uninstallGenericService),
 			},
 		},
 	})
 	app.Run(os.Args)
 }
 func installGenericService(c *cli.Context) error {
 	return fmt.Errorf("service installation is not supported on this operating system")
 }
 func uninstallGenericService(c *cli.Context) error {
 	return fmt.Errorf("service uninstallation is not supported on this operating system")
 }
--- a/cmd/cloudflared/linux_service.go
+++ b/cmd/cloudflared/linux_service.go
@ -1,5 +1,4 @@
 //go:build linux
 // +build linux
 package main
@ -25,6 +24,9 @@ func runApp(app *cli.App, graceShutdownC chan struct{}) {
 				Name:   "install",
 				Usage:  "Install cloudflared as a system service",
 				Action: cliutil.ConfiguredAction(installLinuxService),
 				Flags: []cli.Flag{
 					noUpdateServiceFlag,
 				},
 			},
 			{
 				Name:   "uninstall",
@ -39,19 +41,22 @@ func runApp(app *cli.App, graceShutdownC chan struct{}) {
 // The directory and files that are used by the service.
 // These are hard-coded in the templates below.
 const (
-	serviceConfigDir      = "/etc/cloudflared"
+	serviceConfigDir         = "/etc/cloudflared"
-	serviceConfigFile     = "config.yml"
+	serviceConfigFile        = "config.yml"
-	serviceCredentialFile = "cert.pem"
+	serviceCredentialFile    = "cert.pem"
-	serviceConfigPath     = serviceConfigDir + "/" + serviceConfigFile
+	serviceConfigPath        = serviceConfigDir + "/" + serviceConfigFile
-	cloudflaredService    = "cloudflared.service"
+	cloudflaredService       = "cloudflared.service"
 	cloudflaredUpdateService = "cloudflared-update.service"
 	cloudflaredUpdateTimer   = "cloudflared-update.timer"
 )
-var systemdTemplates = []ServiceTemplate{
+var systemdAllTemplates = map[string]ServiceTemplate{
-	{
+	cloudflaredService: {
 		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredService),
 		Content: `[Unit]
 Description=cloudflared
-After=network.target
+After=network-online.target
 Wants=network-online.target
 [Service]
 TimeoutStartSec=0
@ -64,18 +69,19 @@ RestartSec=5s
 WantedBy=multi-user.target
 `,
 	},
-	{
+	cloudflaredUpdateService: {
-		Path: "/etc/systemd/system/cloudflared-update.service",
+		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateService),
 		Content: `[Unit]
 Description=Update cloudflared
-After=network.target
+After=network-online.target
 Wants=network-online.target
 [Service]
 ExecStart=/bin/bash -c '{{ .Path }} update; code=$?; if [ $code -eq 11 ]; then systemctl restart cloudflared; exit 0; fi; exit $code'
 `,
 	},
-	{
+	cloudflaredUpdateTimer: {
-		Path: "/etc/systemd/system/cloudflared-update.timer",
+		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateTimer),
 		Content: `[Unit]
 Description=Update cloudflared
@ -106,7 +112,7 @@ var sysvTemplate = ServiceTemplate{
 # Description:       cloudflared agent
 ### END INIT INFO
 name=$(basename $(readlink -f $0))
-cmd="{{.Path}} --pidfile /var/run/$name.pid --autoupdate-freq 24h0m0s{{ range .ExtraArgs }} {{ . }}{{ end }}"
+cmd="{{.Path}} --pidfile /var/run/$name.pid {{ range .ExtraArgs }} {{ . }}{{ end }}"
 pid_file="/var/run/$name.pid"
 stdout_log="/var/log/$name.log"
 stderr_log="/var/log/$name.err"
@ -178,6 +184,14 @@ exit 0
 `,
 }
 var (
 	noUpdateServiceFlag = &cli.BoolFlag{
 		Name:  "no-update-service",
 		Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
 		Value: false,
 	}
 )
 func isSystemd() bool {
 	if _, err := os.Stat("/run/systemd/system"); err == nil {
 		return true
@ -196,6 +210,9 @@ func installLinuxService(c *cli.Context) error {
 		Path: etPath,
 	}
 	// Check if the "no update flag" is set
 	autoUpdate := !c.IsSet(noUpdateServiceFlag.Name)
 	var extraArgsFunc func(c *cli.Context, log *zerolog.Logger) ([]string, error)
 	if c.NArg() == 0 {
 		extraArgsFunc = buildArgsForConfig
@ -213,10 +230,10 @@ func installLinuxService(c *cli.Context) error {
 	switch {
 	case isSystemd():
 		log.Info().Msgf("Using Systemd")
-		err = installSystemd(&templateArgs, log)
+		err = installSystemd(&templateArgs, autoUpdate, log)
 	default:
 		log.Info().Msgf("Using SysV")
-		err = installSysv(&templateArgs, log)
+		err = installSysv(&templateArgs, autoUpdate, log)
 	}
 	if err == nil {
@ -261,7 +278,20 @@ credentials-file: CREDENTIALS-FILE
 	}, nil
 }
-func installSystemd(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) error {
+func installSystemd(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {
 	var systemdTemplates []ServiceTemplate
 	if autoUpdate {
 		systemdTemplates = []ServiceTemplate{
 			systemdAllTemplates[cloudflaredService],
 			systemdAllTemplates[cloudflaredUpdateService],
 			systemdAllTemplates[cloudflaredUpdateTimer],
 		}
 	} else {
 		systemdTemplates = []ServiceTemplate{
 			systemdAllTemplates[cloudflaredService],
 		}
 	}
 	for _, serviceTemplate := range systemdTemplates {
 		err := serviceTemplate.Generate(templateArgs)
 		if err != nil {
@ -273,10 +303,14 @@ func installSystemd(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) erro
 		log.Err(err).Msgf("systemctl enable %s error", cloudflaredService)
 		return err
 	}
-	if err := runCommand("systemctl", "start", "cloudflared-update.timer"); err != nil {
+
-		log.Err(err).Msg("systemctl start cloudflared-update.timer error")
+	if autoUpdate {
-		return err
+		if err := runCommand("systemctl", "start", cloudflaredUpdateTimer); err != nil {
 			log.Err(err).Msgf("systemctl start %s error", cloudflaredUpdateTimer)
 			return err
 		}
 	}
 	if err := runCommand("systemctl", "daemon-reload"); err != nil {
 		log.Err(err).Msg("systemctl daemon-reload error")
 		return err
@ -284,12 +318,19 @@ func installSystemd(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) erro
 	return runCommand("systemctl", "start", cloudflaredService)
 }
-func installSysv(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) error {
+func installSysv(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {
 	confPath, err := sysvTemplate.ResolvePath()
 	if err != nil {
 		log.Err(err).Msg("error resolving system path")
 		return err
 	}
 	if autoUpdate {
 		templateArgs.ExtraArgs = append([]string{"--autoupdate-freq 24h0m0s"}, templateArgs.ExtraArgs...)
 	} else {
 		templateArgs.ExtraArgs = append([]string{"--no-autoupdate"}, templateArgs.ExtraArgs...)
 	}
 	if err := sysvTemplate.Generate(templateArgs); err != nil {
 		log.Err(err).Msg("error generating system template")
 		return err
@ -327,19 +368,35 @@ func uninstallLinuxService(c *cli.Context) error {
 }
 func uninstallSystemd(log *zerolog.Logger) error {
-	if err := runCommand("systemctl", "disable", cloudflaredService); err != nil {
+	// Get only the installed services
-		log.Err(err).Msgf("systemctl disable %s error", cloudflaredService)
+	installedServices := make(map[string]ServiceTemplate)
-		return err
+	for serviceName, serviceTemplate := range systemdAllTemplates {
 		if err := runCommand("systemctl", "list-units", "--all", "|", "grep", serviceName); err == nil {
 			installedServices[serviceName] = serviceTemplate
 		} else {
 			log.Info().Msgf("Service '%s' not installed, skipping its uninstall", serviceName)
 		}
 	}
-	if err := runCommand("systemctl", "stop", cloudflaredService); err != nil {
+
-		log.Err(err).Msgf("systemctl stop %s error", cloudflaredService)
+	if _, exists := installedServices[cloudflaredService]; exists {
-		return err
+		if err := runCommand("systemctl", "disable", cloudflaredService); err != nil {
 			log.Err(err).Msgf("systemctl disable %s error", cloudflaredService)
 			return err
 		}
 		if err := runCommand("systemctl", "stop", cloudflaredService); err != nil {
 			log.Err(err).Msgf("systemctl stop %s error", cloudflaredService)
 			return err
 		}
 	}
-	if err := runCommand("systemctl", "stop", "cloudflared-update.timer"); err != nil {
+
-		log.Err(err).Msg("systemctl stop cloudflared-update.timer error")
+	if _, exists := installedServices[cloudflaredUpdateTimer]; exists {
-		return err
+		if err := runCommand("systemctl", "stop", cloudflaredUpdateTimer); err != nil {
 			log.Err(err).Msgf("systemctl stop %s error", cloudflaredUpdateTimer)
 			return err
 		}
 	}
-	for _, serviceTemplate := range systemdTemplates {
+
 	for _, serviceTemplate := range installedServices {
 		if err := serviceTemplate.Remove(); err != nil {
 			log.Err(err).Msg("error removing service template")
 			return err
--- a/cmd/cloudflared/macos_service.go
+++ b/cmd/cloudflared/macos_service.go
@ -1,5 +1,4 @@
 //go:build darwin
 // +build darwin
 package main
@ -7,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
@ -18,7 +18,7 @@ const (
 	launchdIdentifier = "com.cloudflare.cloudflared"
 )
-func runApp(app *cli.App, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, _ chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared launch agent",
@ -120,7 +120,7 @@ func installLaunchd(c *cli.Context) error {
 		log.Info().Msg("Installing cloudflared client as an user launch agent. " +
 			"Note that cloudflared client will only run when the user is logged in. " +
 			"If you want to run cloudflared client at boot, install with root permission. " +
-			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
+			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos/")
 	}
 	etPath, err := os.Executable()
 	if err != nil {
@ -208,3 +208,15 @@ func uninstallLaunchd(c *cli.Context) error {
 	}
 	return err
 }
 func userHomeDir() (string, error) {
 	// This returns the home dir of the executing user using OS-specific method
 	// for discovering the home dir. It's not recommended to call this function
 	// when the user has root permission as $HOME depends on what options the user
 	// use with sudo.
 	homeDir, err := homedir.Dir()
 	if err != nil {
 		return "", errors.Wrap(err, "Cannot determine home directory for the user")
 	}
 	return homeDir, nil
 }
--- a/cmd/cloudflared/main.go
+++ b/cmd/cloudflared/main.go
@ -2,19 +2,19 @@ package main
 import (
 	"fmt"
-	"math/rand"
+	"os"
 	"strings"
 	"time"
-	"github.com/getsentry/raven-go"
+	"github.com/getsentry/sentry-go"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"go.uber.org/automaxprocs/maxprocs"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tail"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
@ -48,10 +48,10 @@ var (
 )
 func main() {
-	rand.Seed(time.Now().UnixNano())
+	// FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported
 	os.Setenv("QUIC_GO_DISABLE_ECN", "1")
 	metrics.RegisterBuildInfo(BuildType, BuildTime, Version)
-	raven.SetRelease(Version)
+	_, _ = maxprocs.Set()
 	maxprocs.Set()
 	bInfo := cliutil.GetBuildInfo(BuildType, Version)
 	// Graceful shutdown channel used by the app. When closed, app must terminate gracefully.
@ -87,9 +87,10 @@ func main() {
 	tunnel.Init(bInfo, graceShutdownC) // we need this to support the tunnel sub command...
 	access.Init(graceShutdownC, Version)
-	updater.Init(Version)
+	updater.Init(bInfo)
 	tracing.Init(Version)
 	token.Init(Version)
 	tail.Init(bInfo)
 	runApp(app, graceShutdownC)
 }
@ -105,7 +106,7 @@ func commands(version func(c *cli.Context)) []*cli.Command {
 					Usage: "specify if you wish to update to the latest beta version",
 				},
 				&cli.BoolFlag{
-					Name:   "force",
+					Name:   cfdflags.Force,
 					Usage:  "specify if you wish to force an upgrade to the latest version regardless of the current version",
 					Hidden: true,
 				},
@ -129,16 +130,28 @@ To determine if an update happened in a script, check for error code 11.`,
 		{
 			Name: "version",
 			Action: func(c *cli.Context) (err error) {
 				if c.Bool("short") {
 					fmt.Println(strings.Split(c.App.Version, " ")[0])
 					return nil
 				}
 				version(c)
 				return nil
 			},
 			Usage:       versionText,
 			Description: versionText,
 			Flags: []cli.Flag{
 				&cli.BoolFlag{
 					Name:    "short",
 					Aliases: []string{"s"},
 					Usage:   "print just the version number",
 				},
 			},
 		},
 	}
 	cmds = append(cmds, tunnel.Commands()...)
 	cmds = append(cmds, proxydns.Command(false))
 	cmds = append(cmds, access.Commands()...)
 	cmds = append(cmds, tail.Command())
 	return cmds
 }
@ -156,10 +169,10 @@ func action(graceShutdownC chan struct{}) cli.ActionFunc {
 		if isEmptyInvocation(c) {
 			return handleServiceMode(c, graceShutdownC)
 		}
-		tags := make(map[string]string)
+		func() {
-		tags["hostname"] = c.String("hostname")
+			defer sentry.Recover()
-		raven.SetTagsContext(tags)
+			err = tunnel.TunnelCommand(c)
-		raven.CapturePanic(func() { err = tunnel.TunnelCommand(c) }, nil)
+		}()
 		if err != nil {
 			captureError(err)
 		}
@ -167,18 +180,6 @@ func action(graceShutdownC chan struct{}) cli.ActionFunc {
 	})
 }
 func userHomeDir() (string, error) {
 	// This returns the home dir of the executing user using OS-specific method
 	// for discovering the home dir. It's not recommended to call this function
 	// when the user has root permission as $HOME depends on what options the user
 	// use with sudo.
 	homeDir, err := homedir.Dir()
 	if err != nil {
 		return "", errors.Wrap(err, "Cannot determine home directory for the user")
 	}
 	return homeDir, nil
 }
 // In order to keep the amount of noise sent to Sentry low, typical network errors can be filtered out here by a substring match.
 func captureError(err error) {
 	errorMessage := err.Error()
@ -187,7 +188,7 @@ func captureError(err error) {
 			return
 		}
 	}
-	raven.CaptureError(err, nil)
+	sentry.CaptureException(err)
 }
 // cloudflared was started without any flags
--- a/cmd/cloudflared/proxydns/cmd.go
+++ b/cmd/cloudflared/proxydns/cmd.go
@ -1,6 +1,7 @@
 package proxydns
 import (
 	"context"
 	"net"
 	"os"
 	"os/signal"
@ -73,7 +74,7 @@ func Run(c *cli.Context) error {
 		log.Fatal().Err(err).Msg("Failed to open the metrics listener")
 	}
-	go metrics.ServeMetrics(metricsListener, nil, nil, "", nil, log)
+	go metrics.ServeMetrics(metricsListener, context.Background(), metrics.Config{}, log)
 	listener, err := tunneldns.CreateListener(
 		c.String("address"),
--- a/cmd/cloudflared/service_template.go
+++ b/cmd/cloudflared/service_template.go
@ -1,14 +1,13 @@
 package main
 import (
 	"bufio"
 	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"os/exec"
-	"path"
+	"path/filepath"
 	"text/template"
 	homedir "github.com/mitchellh/go-homedir"
@ -45,7 +44,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		return err
 	}
 	if _, err = os.Stat(resolvedPath); err == nil {
-		return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
+		return errors.New(serviceAlreadyExistsWarn(resolvedPath))
 	}
 	var buffer bytes.Buffer
@ -58,13 +57,13 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		fileMode = st.FileMode
 	}
-	plistFolder := path.Dir(resolvedPath)
+	plistFolder := filepath.Dir(resolvedPath)
 	err = os.MkdirAll(plistFolder, 0o755)
 	if err != nil {
 		return fmt.Errorf("error creating %s: %v", plistFolder, err)
 	}
-	err = ioutil.WriteFile(resolvedPath, buffer.Bytes(), fileMode)
+	err = os.WriteFile(resolvedPath, buffer.Bytes(), fileMode)
 	if err != nil {
 		return fmt.Errorf("error writing %s: %v", resolvedPath, err)
 	}
@ -103,7 +102,7 @@ func runCommand(command string, args ...string) error {
 		return fmt.Errorf("error starting %s: %v", command, err)
 	}
-	output, _ := ioutil.ReadAll(stderr)
+	output, _ := io.ReadAll(stderr)
 	err = cmd.Wait()
 	if err != nil {
 		return fmt.Errorf("%s %v returned with error code %v due to: %v", command, args, err, string(output))
@ -119,49 +118,6 @@ func ensureConfigDirExists(configDir string) error {
 	return err
 }
 // openFile opens the file at path. If create is set and the file exists, returns nil, true, nil
 func openFile(path string, create bool) (file *os.File, exists bool, err error) {
 	expandedPath, err := homedir.Expand(path)
 	if err != nil {
 		return nil, false, err
 	}
 	if create {
 		fileInfo, err := os.Stat(expandedPath)
 		if err == nil && fileInfo.Size() > 0 {
 			return nil, true, nil
 		}
 		file, err = os.OpenFile(expandedPath, os.O_RDWR|os.O_CREATE, 0600)
 	} else {
 		file, err = os.Open(expandedPath)
 	}
 	return file, false, err
 }
 func copyCredential(srcCredentialPath, destCredentialPath string) error {
 	destFile, exists, err := openFile(destCredentialPath, true)
 	if err != nil {
 		return err
 	} else if exists {
 		// credentials already exist, do nothing
 		return nil
 	}
 	defer destFile.Close()
 	srcFile, _, err := openFile(srcCredentialPath, false)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	// Copy certificate
 	_, err = io.Copy(destFile, srcFile)
 	if err != nil {
 		return fmt.Errorf("unable to copy %s to %s: %v", srcCredentialPath, destCredentialPath, err)
 	}
 	return nil
 }
 func copyFile(src, dest string) error {
 	srcFile, err := os.Open(src)
 	if err != nil {
@ -188,36 +144,3 @@ func copyFile(src, dest string) error {
 	ok = true
 	return nil
 }
 func copyConfig(srcConfigPath, destConfigPath string) error {
 	// Copy or create config
 	destFile, exists, err := openFile(destConfigPath, true)
 	if err != nil {
 		return fmt.Errorf("cannot open %s with error: %s", destConfigPath, err)
 	} else if exists {
 		// config already exists, do nothing
 		return nil
 	}
 	defer destFile.Close()
 	srcFile, _, err := openFile(srcConfigPath, false)
 	if err != nil {
 		fmt.Println("Your service needs a config file that at least specifies the hostname option.")
 		fmt.Println("Type in a hostname now, or leave it blank and create the config file later.")
 		fmt.Print("Hostname: ")
 		reader := bufio.NewReader(os.Stdin)
 		input, _ := reader.ReadString('\n')
 		if input == "" {
 			return err
 		}
 		fmt.Fprintf(destFile, "hostname: %s\n", input)
 	} else {
 		defer srcFile.Close()
 		_, err = io.Copy(destFile, srcFile)
 		if err != nil {
 			return fmt.Errorf("unable to copy %s to %s: %v", srcConfigPath, destConfigPath, err)
 		}
 	}
 	return nil
 }
--- a/cmd/cloudflared/tail/cmd.go
+++ b/cmd/cloudflared/tail/cmd.go
@ -0,0 +1,428 @@
 package tail
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
 	"syscall"
 	"time"
 	"github.com/google/uuid"
 	"github.com/mattn/go-colorable"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"nhooyr.io/websocket"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/management"
 )
 var buildInfo *cliutil.BuildInfo
 func Init(bi *cliutil.BuildInfo) {
 	buildInfo = bi
 }
 func Command() *cli.Command {
 	subcommands := []*cli.Command{
 		buildTailManagementTokenSubcommand(),
 	}
 	return buildTailCommand(subcommands)
 }
 func buildTailManagementTokenSubcommand() *cli.Command {
 	return &cli.Command{
 		Name:        "token",
 		Action:      cliutil.ConfiguredAction(managementTokenCommand),
 		Usage:       "Get management access jwt",
 		UsageText:   "cloudflared tail token TUNNEL_ID",
 		Description: `Get management access jwt for a tunnel`,
 		Hidden:      true,
 	}
 }
 func managementTokenCommand(c *cli.Context) error {
 	log := createLogger(c)
 	token, err := getManagementToken(c, log)
 	if err != nil {
 		return err
 	}
 	tokenResponse := struct {
 		Token string `json:"token"`
 	}{Token: token}
 	return json.NewEncoder(os.Stdout).Encode(tokenResponse)
 }
 func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 	return &cli.Command{
 		Name:      "tail",
 		Action:    Run,
 		Usage:     "Stream logs from a remote cloudflared",
 		UsageText: "cloudflared tail [tail command options] [TUNNEL-ID]",
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:    "connector-id",
 				Usage:   "Access a specific cloudflared instance by connector id (for when a tunnel has multiple cloudflared's)",
 				Value:   "",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_CONNECTOR"},
 			},
 			&cli.StringSliceFlag{
 				Name:    "event",
 				Usage:   "Filter by specific Events (cloudflared, http, tcp, udp) otherwise, defaults to send all events",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_EVENTS"},
 			},
 			&cli.StringFlag{
 				Name:    "level",
 				Usage:   "Filter by specific log levels (debug, info, warn, error). Filters by debug log level by default.",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_LEVEL"},
 				Value:   "debug",
 			},
 			&cli.Float64Flag{
 				Name:    "sample",
 				Usage:   "Sample log events by percentage (0.0 .. 1.0). No sampling by default.",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_SAMPLE"},
 				Value:   1.0,
 			},
 			&cli.StringFlag{
 				Name:    "token",
 				Usage:   "Access token for a specific tunnel",
 				Value:   "",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
 			},
 			&cli.StringFlag{
 				Name:    "output",
 				Usage:   "Output format for the logs (default, json)",
 				Value:   "default",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
 			},
 			&cli.StringFlag{
 				Name:    "management-hostname",
 				Usage:   "Management hostname to signify incoming management requests",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 				Hidden:  true,
 				Value:   "management.argotunnel.com",
 			},
 			&cli.StringFlag{
 				Name:   "trace",
 				Usage:  "Set a cf-trace-id for the request",
 				Hidden: true,
 				Value:  "",
 			},
 			&cli.StringFlag{
 				Name:    cfdflags.LogLevel,
 				Value:   "info",
 				Usage:   "Application logging level {debug, info, warn, error, fatal}",
 				EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			},
 			&cli.StringFlag{
 				Name:    cfdflags.OriginCert,
 				Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 				Value:   credentials.FindDefaultOriginCertPath(),
 			},
 		},
 		Subcommands: subcommands,
 	}
 }
 // Middleware validation error struct for returning to the eyeball
 type managementError struct {
 	Code    int    `json:"code,omitempty"`
 	Message string `json:"message,omitempty"`
 }
 // Middleware validation error HTTP response JSON for returning to the eyeball
 type managementErrorResponse struct {
 	Success bool              `json:"success,omitempty"`
 	Errors  []managementError `json:"errors,omitempty"`
 }
 func handleValidationError(resp *http.Response, log *zerolog.Logger) {
 	if resp.StatusCode == 530 {
 		log.Error().Msgf("no cloudflared connector available or reachable via management request (a recent version of cloudflared is required to use streaming logs)")
 	}
 	var managementErr managementErrorResponse
 	err := json.NewDecoder(resp.Body).Decode(&managementErr)
 	if err != nil {
 		log.Error().Msgf("unable to start management log streaming session: http response code returned %d", resp.StatusCode)
 		return
 	}
 	if managementErr.Success || len(managementErr.Errors) == 0 {
 		log.Error().Msgf("management tunnel validation returned success with invalid HTTP response code to convert to a WebSocket request")
 		return
 	}
 	for _, e := range managementErr.Errors {
 		log.Error().Msgf("management request failed validation: (%d) %s", e.Code, e.Message)
 	}
 }
 // logger will be created to emit only against the os.Stderr as to not obstruct with normal output from
 // management requests
 func createLogger(c *cli.Context) *zerolog.Logger {
 	level, levelErr := zerolog.ParseLevel(c.String(cfdflags.LogLevel))
 	if levelErr != nil {
 		level = zerolog.InfoLevel
 	}
 	log := zerolog.New(zerolog.ConsoleWriter{
 		Out:        colorable.NewColorable(os.Stderr),
 		TimeFormat: time.RFC3339,
 	}).With().Timestamp().Logger().Level(level)
 	return &log
 }
 // parseFilters will attempt to parse provided filters to send to with the EventStartStreaming
 func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 	var level *management.LogLevel
 	var sample float64
 	events := make([]management.LogEventType, 0)
 	argLevel := c.String("level")
 	argEvents := c.StringSlice("event")
 	argSample := c.Float64("sample")
 	if argLevel != "" {
 		l, ok := management.ParseLogLevel(argLevel)
 		if !ok {
 			return nil, fmt.Errorf("invalid --level filter provided, please use one of the following Log Levels: debug, info, warn, error")
 		}
 		level = &l
 	}
 	for _, v := range argEvents {
 		t, ok := management.ParseLogEventType(v)
 		if !ok {
 			return nil, fmt.Errorf("invalid --event filter provided, please use one of the following EventTypes: cloudflared, http, tcp, udp")
 		}
 		events = append(events, t)
 	}
 	if argSample <= 0.0 || argSample > 1.0 {
 		return nil, fmt.Errorf("invalid --sample value provided, please make sure it is in the range (0.0 .. 1.0)")
 	}
 	sample = argSample
 	if level == nil && len(events) == 0 && argSample != 1.0 {
 		// When no filters are provided, do not return a StreamingFilters struct
 		return nil, nil
 	}
 	return &management.StreamingFilters{
 		Level:    level,
 		Events:   events,
 		Sampling: sample,
 	}, nil
 }
 // getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
 func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
 	if err != nil {
 		return "", err
 	}
 	client, err := userCreds.Client(c.String(cfdflags.ApiURL), buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
 	tunnelIDString := c.Args().First()
 	if tunnelIDString == "" {
 		return "", errors.New("no tunnel ID provided")
 	}
 	tunnelID, err := uuid.Parse(tunnelIDString)
 	if err != nil {
 		return "", errors.New("unable to parse provided tunnel id as a valid UUID")
 	}
 	token, err := client.GetManagementToken(tunnelID)
 	if err != nil {
 		return "", err
 	}
 	return token, nil
 }
 // buildURL will build the management url to contain the required query parameters to authenticate the request.
 func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 	var err error
 	managementHostname := c.String("management-hostname")
 	token := c.String("token")
 	if token == "" {
 		token, err = getManagementToken(c, log)
 		if err != nil {
 			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
 		}
 	}
 	query := url.Values{}
 	query.Add("access_token", token)
 	connector := c.String("connector-id")
 	if connector != "" {
 		connectorID, err := uuid.Parse(connector)
 		if err != nil {
 			return url.URL{}, fmt.Errorf("unabled to parse 'connector-id' flag into a valid UUID: %w", err)
 		}
 		query.Add("connector_id", connectorID.String())
 	}
 	return url.URL{Scheme: "wss", Host: managementHostname, Path: "/logs", RawQuery: query.Encode()}, nil
 }
 func printLine(log *management.Log, logger *zerolog.Logger) {
 	fields, err := json.Marshal(log.Fields)
 	if err != nil {
 		fields = []byte("unable to parse fields")
 		logger.Debug().Msgf("unable to parse fields from event %+v", log)
 	}
 	fmt.Printf("%s %s %s %s %s\n", log.Time, log.Level, log.Event, log.Message, fields)
 }
 func printJSON(log *management.Log, logger *zerolog.Logger) {
 	output, err := json.Marshal(log)
 	if err != nil {
 		logger.Debug().Msgf("unable to parse event to json %+v", log)
 	} else {
 		fmt.Println(string(output))
 	}
 }
 // Run implements a foreground runner
 func Run(c *cli.Context) error {
 	log := createLogger(c)
 	signals := make(chan os.Signal, 10)
 	signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
 	defer signal.Stop(signals)
 	output := "default"
 	switch c.String("output") {
 	case "default", "":
 		output = "default"
 	case "json":
 		output = "json"
 	default:
 		log.Err(errors.New("invalid --output value provided, please make sure it is one of: default, json")).Send()
 	}
 	filters, err := parseFilters(c)
 	if err != nil {
 		log.Error().Err(err).Msgf("invalid filters provided")
 		return nil
 	}
 	u, err := buildURL(c, log)
 	if err != nil {
 		log.Err(err).Msg("unable to construct management request URL")
 		return nil
 	}
 	header := make(http.Header)
 	header.Add("User-Agent", buildInfo.UserAgent())
 	trace := c.String("trace")
 	if trace != "" {
 		header["cf-trace-id"] = []string{trace}
 	}
 	ctx := c.Context
 	// nolint: bodyclose
 	conn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
 		HTTPHeader: header,
 	})
 	if err != nil {
 		if resp != nil && resp.StatusCode != http.StatusSwitchingProtocols {
 			handleValidationError(resp, log)
 			return nil
 		}
 		log.Error().Err(err).Msgf("unable to start management log streaming session")
 		return nil
 	}
 	defer conn.Close(websocket.StatusInternalError, "management connection was closed abruptly")
 	// Once connection is established, send start_streaming event to begin receiving logs
 	err = management.WriteEvent(conn, ctx, &management.EventStartStreaming{
 		ClientEvent: management.ClientEvent{Type: management.StartStreaming},
 		Filters:     filters,
 	})
 	if err != nil {
 		log.Error().Err(err).Msg("unable to request logs from management tunnel")
 		return nil
 	}
 	log.Debug().
 		Str("tunnel-id", c.Args().First()).
 		Str("connector-id", c.String("connector-id")).
 		Interface("filters", filters).
 		Msg("connected")
 	readerDone := make(chan struct{})
 	go func() {
 		defer close(readerDone)
 		for {
 			select {
 			case <-ctx.Done():
 				return
 			default:
 				event, err := management.ReadServerEvent(conn, ctx)
 				if err != nil {
 					if closeErr := management.AsClosed(err); closeErr != nil {
 						// If the client (or the server) already closed the connection, don't continue to
 						// attempt to read from the client.
 						if closeErr.Code == websocket.StatusNormalClosure {
 							return
 						}
 						// Only log abnormal closures
 						log.Error().Msgf("received remote closure: (%d) %s", closeErr.Code, closeErr.Reason)
 						return
 					}
 					log.Err(err).Msg("unable to read event from server")
 					return
 				}
 				switch event.Type {
 				case management.Logs:
 					logs, ok := management.IntoServerEvent(event, management.Logs)
 					if !ok {
 						log.Error().Msgf("invalid logs event")
 						continue
 					}
 					// Output all the logs received to stdout
 					for _, l := range logs.Logs {
 						if output == "json" {
 							printJSON(l, log)
 						} else {
 							printLine(l, log)
 						}
 					}
 				case management.UnknownServerEventType:
 					fallthrough
 				default:
 					log.Debug().Msgf("unexpected log event type: %s", event.Type)
 				}
 			}
 		}
 	}()
 	for {
 		select {
 		case <-ctx.Done():
 			return nil
 		case <-readerDone:
 			return nil
 		case <-signals:
 			log.Debug().Msg("closing management connection")
 			// Cleanly close the connection by sending a close message and then
 			// waiting (with timeout) for the server to close the connection.
 			conn.Close(websocket.StatusNormalClosure, "")
 			select {
 			case <-readerDone:
 			case <-time.After(time.Second):
 			}
 			return nil
 		}
 	}
 }
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@ -4,19 +4,19 @@ import (
 	"bufio"
 	"context"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"path/filepath"
 	"runtime/trace"
 	"strings"
 	"sync"
 	"time"
-	"github.com/coreos/go-systemd/daemon"
+	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/facebookgo/grace/gracenet"
-	"github.com/getsentry/raven-go"
+	"github.com/getsentry/sentry-go"
 	"github.com/google/uuid"
-	homedir "github.com/mitchellh/go-homedir"
+	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
@ -24,65 +24,44 @@ import (
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/ui"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/diagnostic"
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
 	"github.com/cloudflare/cloudflared/metrics"
 	"github.com/cloudflare/cloudflared/orchestration"
 	"github.com/cloudflare/cloudflared/signal"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	"github.com/cloudflare/cloudflared/tunneldns"
 	"github.com/cloudflare/cloudflared/tunnelstate"
 	"github.com/cloudflare/cloudflared/validation"
 )
 const (
 	sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b:3e8827f6f9f740738eb11138f7bebb68@sentry.io/189878"
 	// sshPortFlag is the port on localhost the cloudflared ssh server will run on
 	sshPortFlag = "local-ssh-port"
 	// sshIdleTimeoutFlag defines the duration a SSH session can remain idle before being closed
 	sshIdleTimeoutFlag = "ssh-idle-timeout"
 	// sshMaxTimeoutFlag defines the max duration a SSH session can remain open for
 	sshMaxTimeoutFlag = "ssh-max-timeout"
 	// bucketNameFlag is the bucket name to use for the SSH log uploader
 	bucketNameFlag = "bucket-name"
 	// regionNameFlag is the AWS region name to use for the SSH log uploader
 	regionNameFlag = "region-name"
 	// secretIDFlag is the Secret id of SSH log uploader
 	secretIDFlag = "secret-id"
 	// accessKeyIDFlag is the Access key id of SSH log uploader
 	accessKeyIDFlag = "access-key-id"
 	// sessionTokenIDFlag is the Session token of SSH log uploader
 	sessionTokenIDFlag = "session-token"
 	// s3URLFlag is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)
 	s3URLFlag = "s3-url-host"
 	// hostKeyPath is the path of the dir to save SSH host keys too
 	hostKeyPath = "host-key-path"
 	// uiFlag is to enable launching cloudflared in interactive UI mode
 	uiFlag = "ui"
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
 	LogFieldCommand             = "command"
 	LogFieldExpandedPath        = "expandedPath"
 	LogFieldPIDPathname         = "pidPathname"
 	LogFieldTmpTraceFilename    = "tmpTraceFilename"
 	LogFieldTraceOutputFilepath = "traceOutputFilepath"
 	tunnelCmdErrorMessage = `You did not specify any valid additional argument to the cloudflared tunnel command.
 If you are trying to run a Quick Tunnel then you need to explicitly pass the --url flag.
 Eg. cloudflared tunnel --url localhost:8080/.
 Please note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes.
 For production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)
 `
 )
 var (
@ -92,6 +71,96 @@ var (
 	routeFailMsg = fmt.Sprintf("failed to provision routing, please create it manually via Cloudflare dashboard or UI; "+
 		"most likely you already have a conflicting record there. You can also rerun this command with --%s to overwrite "+
 		"any existing DNS records for this hostname.", overwriteDNSFlag)
 	errDeprecatedClassicTunnel = errors.New("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
 	// TODO: TUN-8756 the list below denotes the flags that do not possess any kind of sensitive information
 	// however this approach is not maintainble in the long-term.
 	nonSecretFlagsList = []string{
 		"config",
 		cfdflags.AutoUpdateFreq,
 		cfdflags.NoAutoUpdate,
 		cfdflags.Metrics,
 		"pidfile",
 		"url",
 		"hello-world",
 		"socks5",
 		"proxy-connect-timeout",
 		"proxy-tls-timeout",
 		"proxy-tcp-keepalive",
 		"proxy-no-happy-eyeballs",
 		"proxy-keepalive-connections",
 		"proxy-keepalive-timeout",
 		"proxy-connection-timeout",
 		"proxy-expect-continue-timeout",
 		"http-host-header",
 		"origin-server-name",
 		"unix-socket",
 		"origin-ca-pool",
 		"no-tls-verify",
 		"no-chunked-encoding",
 		"http2-origin",
 		"management-hostname",
 		"service-op-ip",
 		"local-ssh-port",
 		"ssh-idle-timeout",
 		"ssh-max-timeout",
 		"bucket-name",
 		"region-name",
 		"s3-url-host",
 		"host-key-path",
 		"ssh-server",
 		"bastion",
 		"proxy-address",
 		"proxy-port",
 		cfdflags.LogLevel,
 		cfdflags.TransportLogLevel,
 		cfdflags.LogFile,
 		cfdflags.LogDirectory,
 		cfdflags.TraceOutput,
 		cfdflags.ProxyDns,
 		"proxy-dns-port",
 		"proxy-dns-address",
 		"proxy-dns-upstream",
 		"proxy-dns-max-upstream-conns",
 		"proxy-dns-bootstrap",
 		cfdflags.IsAutoUpdated,
 		cfdflags.Edge,
 		cfdflags.Region,
 		cfdflags.EdgeIpVersion,
 		cfdflags.EdgeBindAddress,
 		"cacert",
 		"hostname",
 		"id",
 		cfdflags.LBPool,
 		cfdflags.ApiURL,
 		cfdflags.MetricsUpdateFreq,
 		cfdflags.Tag,
 		"heartbeat-interval",
 		"heartbeat-count",
 		cfdflags.MaxEdgeAddrRetries,
 		cfdflags.Retries,
 		"ha-connections",
 		"rpc-timeout",
 		"write-stream-timeout",
 		"quic-disable-pmtu-discovery",
 		"quic-connection-level-flow-control-limit",
 		"quic-stream-level-flow-control-limit",
 		cfdflags.ConnectorLabel,
 		cfdflags.GracePeriod,
 		"compression-quality",
 		"use-reconnect-token",
 		"dial-edge-timeout",
 		"stdin-control",
 		cfdflags.Name,
 		cfdflags.Ui,
 		"quick-service",
 		"max-fetch-size",
 		cfdflags.PostQuantum,
 		"management-diagnostics",
 		cfdflags.Protocol,
 		"overwrite-dns",
 		"help",
 		cfdflags.MaxActiveFlows,
 	}
 )
 func Flags() []cli.Flag {
@ -106,11 +175,13 @@ func Commands() []*cli.Command {
 		buildVirtualNetworkSubcommand(false),
 		buildRunCommand(),
 		buildListCommand(),
 		buildReadyCommand(),
 		buildInfoCommand(),
 		buildIngressSubcommand(),
 		buildDeleteCommand(),
 		buildCleanupCommand(),
 		buildTokenCommand(),
 		buildDiagCommand(),
 		// for compatibility, allow following as tunnel subcommands
 		proxydns.Command(true),
 		cliutil.RemovedCommand("db-connect"),
@ -137,7 +208,7 @@ then protect with Cloudflare Access).
  B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,
 those enrolled to a Zero Trust WARP Client.
-You can manage your Tunnels via dash.teams.cloudflare.com. This approach will only require you to run a single command
+You can manage your Tunnels via one.dash.cloudflare.com. This approach will only require you to run a single command
 later in each machine where you wish to run a Tunnel.
 Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:
@ -167,21 +238,54 @@ func TunnelCommand(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	if name := c.String("name"); name != "" { // Start a named tunnel
+
 	// Run a adhoc named tunnel
 	// Allows for the creation, routing (optional), and startup of a tunnel in one command
 	// --name required
 	// --url or --hello-world required
 	// --hostname optional
 	if name := c.String(cfdflags.Name); name != "" {
 		hostname, err := validation.ValidateHostname(c.String("hostname"))
 		if err != nil {
 			return errors.Wrap(err, "Invalid hostname provided")
 		}
 		url := c.String("url")
 		if url == hostname && url != "" && hostname != "" {
 			return fmt.Errorf("hostname and url shouldn't match. See --help for more information")
 		}
 		return runAdhocNamedTunnel(sc, name, c.String(CredFileFlag))
 	}
 	// Run a quick tunnel
 	// A unauthenticated named tunnel hosted on <random>.<quick-tunnels-service>.com
 	// We don't support running proxy-dns and a quick tunnel at the same time as the same process
 	shouldRunQuickTunnel := c.IsSet("url") || c.IsSet(ingress.HelloWorldFlag)
 	if !c.IsSet(cfdflags.ProxyDns) && c.String("quick-service") != "" && shouldRunQuickTunnel {
 		return RunQuickTunnel(sc)
 	}
 	// If user provides a config, check to see if they meant to use `tunnel run` instead
 	if ref := config.GetConfiguration().TunnelID; ref != "" {
 		return fmt.Errorf("Use `cloudflared tunnel run` to start tunnel %s", ref)
 	}
-	// Unauthenticated named tunnel on <random>.<quick-tunnels-service>.com
+	// Classic tunnel usage is no longer supported
-	// For now, default to legacy setup unless quick-service is specified
+	if c.String("hostname") != "" {
-	if !dnsProxyStandAlone(c, nil) && c.String("hostname") == "" && c.String("quick-service") != "" {
+		return errDeprecatedClassicTunnel
 		return RunQuickTunnel(sc)
 	}
-	// Start a classic tunnel
+	if c.IsSet(cfdflags.ProxyDns) {
-	return runClassicTunnel(sc)
+		if shouldRunQuickTunnel {
 			return fmt.Errorf("running a quick tunnel with `proxy-dns` is not supported")
 		}
 		// NamedTunnelProperties are nil since proxy dns server does not need it.
 		// This is supported for legacy reasons: dns proxy server is not a tunnel and ideally should
 		// not run as part of cloudflared tunnel.
 		return StartServer(sc.c, buildInfo, nil, sc.log)
 	}
 	return errors.New(tunnelCmdErrorMessage)
 }
 func Init(info *cliutil.BuildInfo, gracefulShutdown chan struct{}) {
@ -216,14 +320,9 @@ func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath stri
 	return nil
 }
 // runClassicTunnel creates a "classic" non-named tunnel
 func runClassicTunnel(sc *subcommandContext) error {
 	return StartServer(sc.c, buildInfo, nil, sc.log, sc.isUIEnabled)
 }
 func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
 	if hostname := c.String("hostname"); hostname != "" {
-		if lbPool := c.String("lb-pool"); lbPool != "" {
+		if lbPool := c.String(cfdflags.LBPool); lbPool != "" {
 			return cfapi.NewLBRoute(hostname, lbPool), true
 		}
 		return cfapi.NewDNSRoute(hostname, c.Bool(overwriteDNSFlagName)), true
@ -234,21 +333,27 @@ func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
 func StartServer(
 	c *cli.Context,
 	info *cliutil.BuildInfo,
-	namedTunnel *connection.NamedTunnelProperties,
+	namedTunnel *connection.TunnelProperties,
 	log *zerolog.Logger,
 	isUIEnabled bool,
 ) error {
-	_ = raven.SetDSN(sentryDSN)
+	err := sentry.Init(sentry.ClientOptions{
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
 	var wg sync.WaitGroup
 	listeners := gracenet.Net{}
 	errC := make(chan error)
-	if config.GetConfiguration().Source() == "" {
+	// Only log for locally configured tunnels (Token is blank).
 	if config.GetConfiguration().Source() == "" && c.String(TunnelTokenFlag) == "" {
 		log.Info().Msg(config.ErrNoConfigFile.Error())
 	}
-	if c.IsSet("trace-output") {
+	if c.IsSet(cfdflags.TraceOutput) {
-		tmpTraceFile, err := ioutil.TempFile("", "trace")
+		tmpTraceFile, err := os.CreateTemp("", "trace")
 		if err != nil {
 			log.Err(err).Msg("Failed to create new temporary file to save trace output")
 		}
@ -259,7 +364,7 @@ func StartServer(
 			if err := tmpTraceFile.Close(); err != nil {
 				traceLog.Err(err).Msg("Failed to close temporary trace output file")
 			}
-			traceOutputFilepath := c.String("trace-output")
+			traceOutputFilepath := c.String(cfdflags.TraceOutput)
 			if err := os.Rename(tmpTraceFile.Name(), traceOutputFilepath); err != nil {
 				traceLog.
 					Err(err).
@ -284,12 +389,12 @@ func StartServer(
 	logClientOptions(c, log)
 	// this context drives the server, when it's cancelled tunnel and all other components (origins, dns, etc...) should stop
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(c.Context)
 	defer cancel()
 	go waitForSignal(graceShutdownC, log)
-	if c.IsSet("proxy-dns") {
+	if c.IsSet(cfdflags.ProxyDns) {
 		dnsReadySignal := make(chan struct{})
 		wg.Add(1)
 		go func() {
@ -311,29 +416,21 @@ func StartServer(
 	go func() {
 		defer wg.Done()
 		autoupdater := updater.NewAutoUpdater(
-			c.Bool("no-autoupdate"), c.Duration("autoupdate-freq"), &listeners, log,
+			c.Bool(cfdflags.NoAutoUpdate), c.Duration(cfdflags.AutoUpdateFreq), &listeners, log,
 		)
 		errC <- autoupdater.Run(ctx)
 	}()
-	// Serve DNS proxy stand-alone if no hostname or tag or app is going to run
+	// Serve DNS proxy stand-alone if no tunnel type (quick, adhoc, named) is going to run
 	if dnsProxyStandAlone(c, namedTunnel) {
 		connectedSignal.Notify()
 		// no grace period, handle SIGINT/SIGTERM immediately
 		return waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, log)
 	}
-	url := c.String("url")
+	logTransport := logger.CreateTransportLoggerFromContext(c, logger.EnableTerminalLog)
 	hostname := c.String("hostname")
 	if url == hostname && url != "" && hostname != "" {
 		errText := "hostname and url shouldn't match. See --help for more information"
 		log.Error().Msg(errText)
 		return fmt.Errorf(errText)
 	}
-	logTransport := logger.CreateTransportLoggerFromContext(c, isUIEnabled)
+	observer := connection.NewObserver(log, logTransport)
 	observer := connection.NewObserver(log, logTransport, isUIEnabled)
 	// Send Quick Tunnel URL to UI if applicable
 	var quickTunnelURL string
@ -344,7 +441,7 @@ func StartServer(
 		observer.SendURL(quickTunnelURL)
 	}
-	tunnelConfig, orchestratorConfig, err := prepareTunnelConfig(c, info, log, logTransport, observer, namedTunnel)
+	tunnelConfig, orchestratorConfig, err := prepareTunnelConfig(ctx, c, info, log, logTransport, observer, namedTunnel)
 	if err != nil {
 		log.Err(err).Msg("Couldn't start tunnel")
 		return err
@ -358,26 +455,76 @@ func StartServer(
 		}
 	}
-	orchestrator, err := orchestration.NewOrchestrator(ctx, orchestratorConfig, tunnelConfig.Tags, tunnelConfig.Log)
+	// Disable ICMP packet routing for quick tunnels
 	if quickTunnelURL != "" {
 		tunnelConfig.ICMPRouterServer = nil
 	}
 	serviceIP := c.String("service-op-ip")
 	if edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {
 		if serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {
 			serviceIP = serviceAddr.TCP.String()
 		}
 	}
 	mgmt := management.New(
 		c.String("management-hostname"),
 		c.Bool("management-diagnostics"),
 		serviceIP,
 		clientID,
 		c.String(cfdflags.ConnectorLabel),
 		logger.ManagementLogger.Log,
 		logger.ManagementLogger,
 	)
 	internalRules := []ingress.Rule{ingress.NewManagementRule(mgmt)}
 	orchestrator, err := orchestration.NewOrchestrator(ctx, orchestratorConfig, tunnelConfig.Tags, internalRules, tunnelConfig.Log)
 	if err != nil {
 		return err
 	}
-	metricsListener, err := listeners.Listen("tcp", c.String("metrics"))
+	metricsListener, err := metrics.CreateMetricsListener(&listeners, c.String("metrics"))
 	if err != nil {
 		log.Err(err).Msg("Error opening metrics server listener")
 		return errors.Wrap(err, "Error opening metrics server listener")
 	}
 	defer metricsListener.Close()
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		readinessServer := metrics.NewReadyServer(log, clientID)
+		tracker := tunnelstate.NewConnTracker(log)
-		observer.RegisterSink(readinessServer)
+		observer.RegisterSink(tracker)
-		errC <- metrics.ServeMetrics(metricsListener, ctx.Done(), readinessServer, quickTunnelURL, orchestrator, log)
+
 		ipv4, ipv6, err := determineICMPSources(c, log)
 		sources := make([]string, 0)
 		if err == nil {
 			sources = append(sources, ipv4.String())
 			sources = append(sources, ipv6.String())
 		}
 		readinessServer := metrics.NewReadyServer(clientID, tracker)
 		cliFlags := nonSecretCliFlags(log, c, nonSecretFlagsList)
 		diagnosticHandler := diagnostic.NewDiagnosticHandler(
 			log,
 			0,
 			diagnostic.NewSystemCollectorImpl(buildInfo.CloudflaredVersion),
 			tunnelConfig.NamedTunnel.Credentials.TunnelID,
 			clientID,
 			tracker,
 			cliFlags,
 			sources,
 		)
 		metricsConfig := metrics.Config{
 			ReadyServer:         readinessServer,
 			DiagnosticHandler:   diagnosticHandler,
 			QuickTunnelHostname: quickTunnelURL,
 			Orchestrator:        orchestrator,
 		}
 		errC <- metrics.ServeMetrics(metricsListener, ctx, metricsConfig, log)
 	}()
-	reconnectCh := make(chan supervisor.ReconnectSignal, 1)
+	reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(cfdflags.HaConnections))
 	if c.IsSet("stdin-control") {
 		log.Info().Msg("Enabling control through stdin")
 		go stdinControl(reconnectCh, log)
@ -392,18 +539,6 @@ func StartServer(
 		errC <- supervisor.StartTunnelDaemon(ctx, tunnelConfig, orchestrator, connectedSignal, reconnectCh, graceShutdownC)
 	}()
 	if isUIEnabled {
 		tunnelUI := ui.NewUIModel(
 			info.Version(),
 			hostname,
 			metricsListener.Addr().String(),
 			orchestratorConfig.Ingress,
 			tunnelConfig.HAConnections,
 		)
 		app := tunnelUI.Launch(ctx, log, logTransport)
 		observer.RegisterSink(app)
 	}
 	gracePeriod, err := gracePeriod(c)
 	if err != nil {
 		return err
@ -426,8 +561,10 @@ func waitToShutdown(wg *sync.WaitGroup,
 		log.Debug().Msg("Graceful shutdown signalled")
 		if gracePeriod > 0 {
 			// wait for either grace period or service termination
 			ticker := time.NewTicker(gracePeriod)
 			defer ticker.Stop()
 			select {
-			case <-time.Tick(gracePeriod):
+			case <-ticker.C:
 			case <-errC:
 			}
 		}
@ -455,7 +592,7 @@ func waitToShutdown(wg *sync.WaitGroup,
 func notifySystemd(waitForSignal *signal.Signal) {
 	<-waitForSignal.Wait()
-	daemon.SdNotify(false, "READY=1")
+	_, _ = daemon.SdNotify(false, "READY=1")
 }
 func writePidFile(waitForSignal *signal.Signal, pidPathname string, log *zerolog.Logger) {
@ -502,34 +639,40 @@ func addPortIfMissing(uri *url.URL, port int) string {
 func tunnelFlags(shouldHide bool) []cli.Flag {
 	flags := configureCloudflaredFlags(shouldHide)
 	flags = append(flags, configureProxyFlags(shouldHide)...)
-	flags = append(flags, configureLoggingFlags(shouldHide)...)
+	flags = append(flags, cliutil.ConfigureLoggingFlags(shouldHide)...)
 	flags = append(flags, configureProxyDNSFlags(shouldHide)...)
 	flags = append(flags, []cli.Flag{
 		credentialsFileFlag,
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:   "is-autoupdated",
+			Name:   cfdflags.IsAutoUpdated,
 			Usage:  "Signal the new process that Cloudflare Tunnel connector has been autoupdated",
 			Value:  false,
 			Hidden: true,
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-			Name:    "edge",
+			Name:    cfdflags.Edge,
 			Usage:   "Address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment.",
 			EnvVars: []string{"TUNNEL_EDGE"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "region",
+			Name:    cfdflags.Region,
 			Usage:   "Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region.",
 			EnvVars: []string{"TUNNEL_REGION"},
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "edge-ip-version",
+			Name:    cfdflags.EdgeIpVersion,
-			Usage:   "Cloudflare Edge ip address version to connect with. {4, 6, auto}",
+			Usage:   "Cloudflare Edge IP address version to connect with. {4, 6, auto}",
 			EnvVars: []string{"TUNNEL_EDGE_IP_VERSION"},
 			Value:   "4",
 			Hidden:  false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    cfdflags.EdgeBindAddress,
 			Usage:   "Bind to IP address for outgoing connections to Cloudflare Edge.",
 			EnvVars: []string{"TUNNEL_EDGE_BIND_ADDRESS"},
 			Hidden:  false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    tlsconfig.CaCertFlag,
 			Usage:   "Certificate Authority authenticating connections with Cloudflare's edge network.",
@ -549,7 +692,7 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "lb-pool",
+			Name:    cfdflags.LBPool,
 			Usage:   "The name of a (new/existing) load balancing pool to add this origin to.",
 			EnvVars: []string{"TUNNEL_LB_POOL"},
 			Hidden:  shouldHide,
@ -573,24 +716,24 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "api-url",
+			Name:    cfdflags.ApiURL,
 			Usage:   "Base URL for Cloudflare API v4",
 			EnvVars: []string{"TUNNEL_API_URL"},
 			Value:   "https://api.cloudflare.com/client/v4",
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    "metrics-update-freq",
+			Name:    cfdflags.MetricsUpdateFreq,
 			Usage:   "Frequency to update tunnel metrics",
 			Value:   time.Second * 5,
 			EnvVars: []string{"TUNNEL_METRICS_UPDATE_FREQ"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-			Name:    "tag",
+			Name:    cfdflags.Tag,
-			Usage:   "Custom tags used to identify this tunnel, in format `KEY=VALUE`. Multiple tags may be specified",
+			Usage:   "Custom tags used to identify this tunnel via added HTTP request headers to the origin, in format `KEY=VALUE`. Multiple tags may be specified.",
 			EnvVars: []string{"TUNNEL_TAG"},
-			Hidden:  shouldHide,
+			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:   "heartbeat-interval",
@ -605,21 +748,65 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Value:  5,
 			Hidden: true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:   cfdflags.MaxEdgeAddrRetries,
 			Usage:  "Maximum number of times to retry on edge addrs before falling back to a lower protocol",
 			Value:  8,
 			Hidden: true,
 		}),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:    "retries",
+			Name:    cfdflags.Retries,
 			Value:   5,
 			Usage:   "Maximum number of retries for connection/protocol errors.",
 			EnvVars: []string{"TUNNEL_RETRIES"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:   "ha-connections",
+			Name:   cfdflags.HaConnections,
 			Value:  4,
 			Hidden: true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    "grace-period",
+			Name:   cfdflags.RpcTimeout,
 			Value:  5 * time.Second,
 			Hidden: true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:    cfdflags.WriteStreamTimeout,
 			EnvVars: []string{"TUNNEL_STREAM_WRITE_TIMEOUT"},
 			Usage:   "Use this option to add a stream write timeout for connections when writing towards the origin or edge. Default is 0 which disables the write timeout.",
 			Value:   0 * time.Second,
 			Hidden:  true,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    cfdflags.QuicDisablePathMTUDiscovery,
 			EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"},
 			Usage:   "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.",
 			Value:   false,
 			Hidden:  true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:    cfdflags.QuicConnLevelFlowControlLimit,
 			EnvVars: []string{"TUNNEL_QUIC_CONN_LEVEL_FLOW_CONTROL_LIMIT"},
 			Usage:   "Use this option to change the connection-level flow control limit for QUIC transport.",
 			Value:   30 * (1 << 20), // 30 MB
 			Hidden:  true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:    cfdflags.QuicStreamLevelFlowControlLimit,
 			EnvVars: []string{"TUNNEL_QUIC_STREAM_LEVEL_FLOW_CONTROL_LIMIT"},
 			Usage:   "Use this option to change the connection-level flow control limit for QUIC transport.",
 			Value:   6 * (1 << 20), // 6 MB
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:  cfdflags.ConnectorLabel,
 			Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.",
 			Value: "",
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:    cfdflags.GracePeriod,
 			Usage:   "When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received.",
 			Value:   time.Second * 30,
 			EnvVars: []string{"TUNNEL_GRACE_PERIOD"},
@ -655,17 +842,17 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "name",
+			Name:    cfdflags.Name,
 			Aliases: []string{"n"},
 			EnvVars: []string{"TUNNEL_NAME"},
 			Usage:   "Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately",
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:   uiFlag,
+			Name:   cfdflags.Ui,
-			Usage:  "Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.",
+			Usage:  "(depreciated) Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.",
 			Value:  false,
-			Hidden: shouldHide,
+			Hidden: true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:   "quick-service",
@ -679,6 +866,18 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			EnvVars: []string{"TUNNEL_MAX_FETCH_SIZE"},
 			Hidden:  true,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    cfdflags.PostQuantum,
 			Usage:   "When given creates an experimental post-quantum secure tunnel",
 			Aliases: []string{"pq"},
 			EnvVars: []string{"TUNNEL_POST_QUANTUM"},
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    "management-diagnostics",
 			Usage:   "Enables the in-depth diagnostic routes to be made available over the management service (/debug/pprof, /metrics, etc.)",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_DIAGNOSTICS"},
 			Value:   true,
 		}),
 		selectProtocolFlag,
 		overwriteDNSFlag,
 	}...)
@ -696,29 +895,35 @@ func configureCloudflaredFlags(shouldHide bool) []cli.Flag {
 			Hidden: shouldHide,
 		},
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "origincert",
+			Name:    cfdflags.OriginCert,
 			Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 			EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
-			Value:   findDefaultOriginCertPath(),
+			Value:   credentials.FindDefaultOriginCertPath(),
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:   "autoupdate-freq",
+			Name:   cfdflags.AutoUpdateFreq,
 			Usage:  fmt.Sprintf("Autoupdate frequency. Default is %v.", updater.DefaultCheckUpdateFreq),
 			Value:  updater.DefaultCheckUpdateFreq,
 			Hidden: shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "no-autoupdate",
+			Name:    cfdflags.NoAutoUpdate,
 			Usage:   "Disable periodic check for updates, restarting the server with the new version.",
 			EnvVars: []string{"NO_AUTOUPDATE"},
 			Value:   false,
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "metrics",
+			Name:  cfdflags.Metrics,
-			Value:   "localhost:",
+			Value: metrics.GetMetricsDefaultAddress(metrics.Runtime),
-			Usage:   "Listen address for metrics reporting.",
+			Usage: fmt.Sprintf(
 				`Listen address for metrics reporting. If no address is passed cloudflared will try to bind to %v.
 If all are unavailable, a random port will be used. Note that when running cloudflared from an virtual
 environment the default address binds to all interfaces, hence, it is important to isolate the host
 and virtualized host network stacks from each other`,
 				metrics.GetMetricsKnownAddresses(metrics.Runtime),
 			),
 			EnvVars: []string{"TUNNEL_METRICS"},
 			Hidden:  shouldHide,
 		}),
@ -741,7 +946,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "hello-world",
+			Name:    ingress.HelloWorldFlag,
 			Value:   false,
 			Usage:   "Run Hello World Server",
 			EnvVars: []string{"TUNNEL_HELLO_WORLD"},
@ -844,6 +1049,20 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 			Hidden:  shouldHide,
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "management-hostname",
 			Usage:   "Management hostname to signify incoming management requests",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 			Hidden:  true,
 			Value:   "management.argotunnel.com",
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "service-op-ip",
 			Usage:   "Fallback IP for service operations run by the management service.",
 			EnvVars: []string{"TUNNEL_SERVICE_OP_IP"},
 			Hidden:  true,
 			Value:   "198.41.200.113:80",
 		}),
 	}
 	return append(flags, sshFlags(shouldHide)...)
 }
@ -860,62 +1079,62 @@ func legacyTunnelFlag(msg string) string {
 func sshFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    sshPortFlag,
+			Name:    cfdflags.SshPort,
 			Usage:   "Localhost port that cloudflared SSH server will run on",
 			Value:   "2222",
 			EnvVars: []string{"LOCAL_SSH_PORT"},
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    sshIdleTimeoutFlag,
+			Name:    cfdflags.SshIdleTimeout,
 			Usage:   "Connection timeout after no activity",
 			EnvVars: []string{"SSH_IDLE_TIMEOUT"},
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    sshMaxTimeoutFlag,
+			Name:    cfdflags.SshMaxTimeout,
 			Usage:   "Absolute connection timeout",
 			EnvVars: []string{"SSH_MAX_TIMEOUT"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    bucketNameFlag,
+			Name:    cfdflags.SshLogUploaderBucketName,
 			Usage:   "Bucket name of where to upload SSH logs",
 			EnvVars: []string{"BUCKET_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    regionNameFlag,
+			Name:    cfdflags.SshLogUploaderRegionName,
 			Usage:   "Region name of where to upload SSH logs",
 			EnvVars: []string{"REGION_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    secretIDFlag,
+			Name:    cfdflags.SshLogUploaderSecretID,
 			Usage:   "Secret ID of where to upload SSH logs",
 			EnvVars: []string{"SECRET_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    accessKeyIDFlag,
+			Name:    cfdflags.SshLogUploaderAccessKeyID,
 			Usage:   "Access Key ID of where to upload SSH logs",
 			EnvVars: []string{"ACCESS_CLIENT_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    sessionTokenIDFlag,
+			Name:    cfdflags.SshLogUploaderSessionTokenID,
 			Usage:   "Session Token to use in the configuration of SSH logs uploading",
 			EnvVars: []string{"SESSION_TOKEN_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    s3URLFlag,
+			Name:    cfdflags.SshLogUploaderS3URL,
 			Usage:   "S3 url of where to upload SSH logs",
 			EnvVars: []string{"S3_URL"},
 			Hidden:  true,
 		}),
 		altsrc.NewPathFlag(&cli.PathFlag{
-			Name:    hostKeyPath,
+			Name:    cfdflags.HostKeyPath,
 			Usage:   "Absolute path of directory to save SSH host keys in",
 			EnvVars: []string{"HOST_KEY_PATH"},
 			Hidden:  true,
@ -952,48 +1171,10 @@ func sshFlags(shouldHide bool) []cli.Flag {
 	}
 }
 func configureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogLevelFlag,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogTransportLevelFlag,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
 			EnvVars: []string{"TUNNEL_PROTO_LOGLEVEL", "TUNNEL_TRANSPORT_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogFileFlag,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogDirectoryFlag,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "trace-output",
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
 	}
 }
 func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "proxy-dns",
+			Name:    cfdflags.ProxyDns,
 			Usage:   "Run a DNS over HTTPS proxy server.",
 			EnvVars: []string{"TUNNEL_DNS"},
 			Hidden:  shouldHide,
@ -1073,3 +1254,46 @@ reconnect [delay]
 		}
 	}
 }
 func nonSecretCliFlags(log *zerolog.Logger, cli *cli.Context, flagInclusionList []string) map[string]string {
 	flagsNames := cli.FlagNames()
 	flags := make(map[string]string, len(flagsNames))
 	for _, flag := range flagsNames {
 		value := cli.String(flag)
 		if value == "" {
 			continue
 		}
 		isIncluded := isFlagIncluded(flagInclusionList, flag)
 		if !isIncluded {
 			continue
 		}
 		switch flag {
 		case cfdflags.LogDirectory, cfdflags.LogFile:
 			{
 				absolute, err := filepath.Abs(value)
 				if err != nil {
 					log.Error().Err(err).Msgf("could not convert %s path to absolute", flag)
 				} else {
 					flags[flag] = absolute
 				}
 			}
 		default:
 			flags[flag] = value
 		}
 	}
 	return flags
 }
 func isFlagIncluded(flagInclusionList []string, flag string) bool {
 	for _, include := range flagInclusionList {
 		if include == flag {
 			return true
 		}
 	}
 	return false
 }
--- a/cmd/cloudflared/tunnel/config_test.go
+++ b/cmd/cloudflared/tunnel/config_test.go
@ -1,13 +0,0 @@
 package tunnel
 import (
 	"testing"
 	"github.com/stretchr/testify/require"
 )
 func TestDedup(t *testing.T) {
 	expected := []string{"a", "b"}
 	actual := dedup([]string{"a", "b", "a"})
 	require.ElementsMatch(t, expected, actual)
 }
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@ -1,74 +1,61 @@
 package tunnel
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"io/ioutil"
+	"net"
 	"net/netip"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/google/uuid"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
-	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/term"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
-	"github.com/cloudflare/cloudflared/edgediscovery/allregions"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/edgediscovery"
-	"github.com/cloudflare/cloudflared/h2mux"
+	"github.com/cloudflare/cloudflared/edgediscovery/allregions"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/orchestration"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 	"github.com/cloudflare/cloudflared/validation"
 )
-const LogFieldOriginCertPath = "originCertPath"
+const (
-const secretValue = "*****"
+	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
 	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )
 var (
-	developerPortal = "https://developers.cloudflare.com/argo-tunnel"
+	secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
 	serviceUrl      = developerPortal + "/reference/service/"
 	argumentsUrl    = developerPortal + "/reference/arguments/"
-	LogFieldHostname = "hostname"
+	configFlags = []string{
-
+		flags.AutoUpdateFreq,
-	secretFlags     = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
+		flags.NoAutoUpdate,
-	defaultFeatures = []string{supervisor.FeatureAllowRemoteConfig, supervisor.FeatureSerializedHeaders}
+		flags.Retries,
-
+		flags.Protocol,
-	configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version"}
+		flags.LogLevel,
 		flags.TransportLogLevel,
 		flags.OriginCert,
 		flags.Metrics,
 		flags.MetricsUpdateFreq,
 		flags.EdgeIpVersion,
 		flags.EdgeBindAddress,
 		flags.MaxActiveFlows,
 	}
 )
 // returns the first path that contains a cert.pem file. If none of the DefaultConfigSearchDirectories
 // contains a cert.pem file, return empty string
 func findDefaultOriginCertPath() string {
 	for _, defaultConfigDir := range config.DefaultConfigSearchDirectories() {
 		originCertPath, _ := homedir.Expand(filepath.Join(defaultConfigDir, config.DefaultCredentialFile))
 		if ok, _ := config.FileExists(originCertPath); ok {
 			return originCertPath
 		}
 	}
 	return ""
 }
 func generateRandomClientID(log *zerolog.Logger) (string, error) {
 	u, err := uuid.NewRandom()
 	if err != nil {
 		log.Error().Msgf("couldn't create UUID for client ID %s", err)
 		return "", err
 	}
 	return u.String(), nil
 }
 func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 	flags := make(map[string]interface{})
 	for _, flag := range c.FlagNames() {
@ -123,175 +110,63 @@ func isSecretEnvVar(key string) bool {
 	return false
 }
-func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.NamedTunnelProperties) bool {
+func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.TunnelProperties) bool {
-	return c.IsSet("proxy-dns") && (!c.IsSet("hostname") && !c.IsSet("tag") && !c.IsSet("hello-world") && namedTunnel == nil)
+	return c.IsSet(flags.ProxyDns) &&
-}
+		!(c.IsSet(flags.Name) || // adhoc-named tunnel
-
+			c.IsSet(ingress.HelloWorldFlag) || // quick or named tunnel
-func findOriginCert(originCertPath string, log *zerolog.Logger) (string, error) {
+			namedTunnel != nil) // named tunnel
 	if originCertPath == "" {
 		log.Info().Msgf("Cannot determine default origin certificate path. No file %s in %v", config.DefaultCredentialFile, config.DefaultConfigSearchDirectories())
 		if isRunningFromTerminal() {
 			log.Error().Msgf("You need to specify the origin certificate path with --origincert option, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", argumentsUrl)
 			return "", fmt.Errorf("client didn't specify origincert path when running from terminal")
 		} else {
 			log.Error().Msgf("You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", serviceUrl)
 			return "", fmt.Errorf("client didn't specify origincert path")
 		}
 	}
 	var err error
 	originCertPath, err = homedir.Expand(originCertPath)
 	if err != nil {
 		log.Err(err).Msgf("Cannot resolve origin certificate path")
 		return "", fmt.Errorf("cannot resolve path %s", originCertPath)
 	}
 	// Check that the user has acquired a certificate using the login command
 	ok, err := config.FileExists(originCertPath)
 	if err != nil {
 		log.Error().Err(err).Msgf("Cannot check if origin cert exists at path %s", originCertPath)
 		return "", fmt.Errorf("cannot check if origin cert exists at path %s", originCertPath)
 	}
 	if !ok {
 		log.Error().Msgf(`Cannot find a valid certificate for your origin at the path:
    %s
 If the path above is wrong, specify the path with the -origincert option.
 If you don't have a certificate signed by Cloudflare, run the command:
 	%s login
 `, originCertPath, os.Args[0])
 		return "", fmt.Errorf("cannot find a valid certificate at the path %s", originCertPath)
 	}
 	return originCertPath, nil
 }
 func readOriginCert(originCertPath string) ([]byte, error) {
 	// Easier to send the certificate as []byte via RPC than decoding it at this point
 	originCert, err := ioutil.ReadFile(originCertPath)
 	if err != nil {
 		return nil, fmt.Errorf("cannot read %s to load origin certificate", originCertPath)
 	}
 	return originCert, nil
 }
 func getOriginCert(originCertPath string, log *zerolog.Logger) ([]byte, error) {
 	if originCertPath, err := findOriginCert(originCertPath, log); err != nil {
 		return nil, err
 	} else {
 		return readOriginCert(originCertPath)
 	}
 }
 func prepareTunnelConfig(
 	ctx context.Context,
 	c *cli.Context,
 	info *cliutil.BuildInfo,
 	log, logTransport *zerolog.Logger,
 	observer *connection.Observer,
-	namedTunnel *connection.NamedTunnelProperties,
+	namedTunnel *connection.TunnelProperties,
 ) (*supervisor.TunnelConfig, *orchestration.Config, error) {
-	isNamedTunnel := namedTunnel != nil
+	clientID, err := uuid.NewRandom()
 	configHostname := c.String("hostname")
 	hostname, err := validation.ValidateHostname(configHostname)
 	if err != nil {
-		log.Err(err).Str(LogFieldHostname, configHostname).Msg("Invalid hostname")
+		return nil, nil, errors.Wrap(err, "can't generate connector UUID")
 		return nil, nil, errors.Wrap(err, "Invalid hostname")
 	}
-	clientID := c.String("id")
+	log.Info().Msgf("Generated Connector ID: %s", clientID)
-	if !c.IsSet("id") {
+	tags, err := NewTagSliceFromCLI(c.StringSlice(flags.Tag))
 		clientID, err = generateRandomClientID(log)
 		if err != nil {
 			return nil, nil, err
 		}
 	}
 	tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
 	if err != nil {
 		log.Err(err).Msg("Tag parse failure")
 		return nil, nil, errors.Wrap(err, "Tag parse failure")
 	}
 	tags = append(tags, pogs.Tag{Name: "ID", Value: clientID.String()})
-	tags = append(tags, tunnelpogs.Tag{Name: "ID", Value: clientID})
+	transportProtocol := c.String(flags.Protocol)
 	isPostQuantumEnforced := c.Bool(flags.PostQuantum)
-	var (
+	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, c.StringSlice(flags.Features), c.Bool(flags.PostQuantum), log)
-		ingressRules  ingress.Ingress
+	if err != nil {
-		classicTunnel *connection.ClassicTunnelProperties
+		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
-	)
+	}
-
+	clientFeatures := featureSelector.ClientFeatures()
-	transportProtocol := c.String("protocol")
+	pqMode := featureSelector.PostQuantumMode()
-	protocolFetcher := edgediscovery.ProtocolPercentage
+	if pqMode == features.PostQuantumStrict {
 		// Error if the user tries to force a non-quic transport protocol
 		if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {
 			return nil, nil, fmt.Errorf("post-quantum is only supported with the quic transport")
 		}
 		transportProtocol = connection.QUIC.String()
 	}
 	namedTunnel.Client = pogs.ClientInfo{
 		ClientID: clientID[:],
 		Features: clientFeatures,
 		Version:  info.Version(),
 		Arch:     info.OSArch(),
 	}
 	cfg := config.GetConfiguration()
-	if isNamedTunnel {
+	ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)
-		clientUUID, err := uuid.NewRandom()
+	if err != nil {
-		if err != nil {
+		return nil, nil, err
 			return nil, nil, errors.Wrap(err, "can't generate connector UUID")
 		}
 		log.Info().Msgf("Generated Connector ID: %s", clientUUID)
 		features := append(c.StringSlice("features"), defaultFeatures...)
 		if c.IsSet(TunnelTokenFlag) {
 			if transportProtocol == connection.AutoSelectFlag {
 				protocolFetcher = func() (edgediscovery.ProtocolPercents, error) {
 					// If the Tunnel is remotely managed and no protocol is set, we prefer QUIC, but still allow fall-back.
 					preferQuic := []edgediscovery.ProtocolPercent{
 						{
 							Protocol:   connection.QUIC.String(),
 							Percentage: 100,
 						},
 						{
 							Protocol:   connection.HTTP2.String(),
 							Percentage: 100,
 						},
 					}
 					return preferQuic, nil
 				}
 			}
 			log.Info().Msg("Will be fetching remotely managed configuration from Cloudflare API. Defaulting to protocol: quic")
 		}
 		namedTunnel.Client = tunnelpogs.ClientInfo{
 			ClientID: clientUUID[:],
 			Features: dedup(features),
 			Version:  info.Version(),
 			Arch:     info.OSArch(),
 		}
 		ingressRules, err = ingress.ParseIngress(cfg)
 		if err != nil && err != ingress.ErrNoIngressRules {
 			return nil, nil, err
 		}
 		if !ingressRules.IsEmpty() && c.IsSet("url") {
 			return nil, nil, ingress.ErrURLIncompatibleWithIngress
 		}
 	} else {
 		originCertPath := c.String("origincert")
 		originCertLog := log.With().
 			Str(LogFieldOriginCertPath, originCertPath).
 			Logger()
 		originCert, err := getOriginCert(originCertPath, &originCertLog)
 		if err != nil {
 			return nil, nil, errors.Wrap(err, "Error getting origin cert")
 		}
 		classicTunnel = &connection.ClassicTunnelProperties{
 			Hostname:   hostname,
 			OriginCert: originCert,
 			// turn off use of reconnect token and auth refresh when using named tunnels
 			UseReconnectToken: !isNamedTunnel && c.Bool("use-reconnect-token"),
 		}
 	}
-	// Convert single-origin configuration into multi-origin configuration.
+	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), isPostQuantumEnforced, edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
 	if ingressRules.IsEmpty() {
 		ingressRules, err = ingress.NewSingleOrigin(c, !isNamedTunnel)
 		if err != nil {
 			return nil, nil, err
 		}
 	}
 	warpRoutingEnabled := isWarpRoutingEnabled(cfg.WarpRouting, isNamedTunnel)
 	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, warpRoutingEnabled, namedTunnel, protocolFetcher, supervisor.ResolveTTL, log)
 	if err != nil {
 		return nil, nil, err
 	}
@ -317,49 +192,79 @@ func prepareTunnelConfig(
 	if err != nil {
 		return nil, nil, err
 	}
-	muxerConfig := &connection.MuxerConfig{
+	edgeIPVersion, err := parseConfigIPVersion(c.String(flags.EdgeIpVersion))
 		HeartbeatInterval: c.Duration("heartbeat-interval"),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		MaxHeartbeats: uint64(c.Int("heartbeat-count")),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		CompressionSetting: h2mux.CompressionSetting(uint64(c.Int("compression-quality"))),
 		MetricsUpdateFreq:  c.Duration("metrics-update-freq"),
 	}
 	edgeIPVersion, err := parseConfigIPVersion(c.String("edge-ip-version"))
 	if err != nil {
 		return nil, nil, err
 	}
 	edgeBindAddr, err := parseConfigBindAddress(c.String(flags.EdgeBindAddress))
 	if err != nil {
 		return nil, nil, err
 	}
 	if err := testIPBindable(edgeBindAddr); err != nil {
 		return nil, nil, fmt.Errorf("invalid edge-bind-address %s: %v", edgeBindAddr, err)
 	}
 	edgeIPVersion, err = adjustIPVersionByBindAddress(edgeIPVersion, edgeBindAddr)
 	if err != nil {
 		// This is not a fatal error, we just overrode edgeIPVersion
 		log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
 	}
 	region := c.String(flags.Region)
 	endpoint := namedTunnel.Credentials.Endpoint
 	var resolvedRegion string
 	// set resolvedRegion to either the region passed as argument
 	// or to the endpoint in the credentials.
 	// Region and endpoint are interchangeable
 	if region != "" && endpoint != "" {
 		return nil, nil, fmt.Errorf("region provided with a token that has an endpoint")
 	} else if region != "" {
 		resolvedRegion = region
 	} else if endpoint != "" {
 		resolvedRegion = endpoint
 	}
 	tunnelConfig := &supervisor.TunnelConfig{
 		GracePeriod:     gracePeriod,
-		ReplaceExisting: c.Bool("force"),
+		ReplaceExisting: c.Bool(flags.Force),
 		OSArch:          info.OSArch(),
-		ClientID:        clientID,
+		ClientID:        clientID.String(),
-		EdgeAddrs:       c.StringSlice("edge"),
+		EdgeAddrs:       c.StringSlice(flags.Edge),
-		Region:          c.String("region"),
+		Region:          resolvedRegion,
 		EdgeIPVersion:   edgeIPVersion,
-		HAConnections:   c.Int("ha-connections"),
+		EdgeBindAddr:    edgeBindAddr,
-		IncidentLookup:  supervisor.NewIncidentLookup(),
+		HAConnections:   c.Int(flags.HaConnections),
-		IsAutoupdated:   c.Bool("is-autoupdated"),
+		IsAutoupdated:   c.Bool(flags.IsAutoUpdated),
-		LBPool:          c.String("lb-pool"),
+		LBPool:          c.String(flags.LBPool),
 		Tags:            tags,
 		Log:             log,
 		LogTransport:    logTransport,
 		Observer:        observer,
 		ReportedVersion: info.Version(),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
-		Retries:          uint(c.Int("retries")),
+		Retries:                             uint(c.Int(flags.Retries)), // nolint: gosec
-		RunFromTerminal:  isRunningFromTerminal(),
+		RunFromTerminal:                     isRunningFromTerminal(),
-		NamedTunnel:      namedTunnel,
+		NamedTunnel:                         namedTunnel,
-		ClassicTunnel:    classicTunnel,
+		ProtocolSelector:                    protocolSelector,
-		MuxerConfig:      muxerConfig,
+		EdgeTLSConfigs:                      edgeTLSConfigs,
-		ProtocolSelector: protocolSelector,
+		FeatureSelector:                     featureSelector,
-		EdgeTLSConfigs:   edgeTLSConfigs,
+		MaxEdgeAddrRetries:                  uint8(c.Int(flags.MaxEdgeAddrRetries)), // nolint: gosec
 		RPCTimeout:                          c.Duration(flags.RpcTimeout),
 		WriteStreamTimeout:                  c.Duration(flags.WriteStreamTimeout),
 		DisableQUICPathMTUDiscovery:         c.Bool(flags.QuicDisablePathMTUDiscovery),
 		QUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit),
 		QUICStreamLevelFlowControlLimit:     c.Uint64(flags.QuicStreamLevelFlowControlLimit),
 	}
 	icmpRouter, err := newICMPRouter(c, log)
 	if err != nil {
 		log.Warn().Err(err).Msg("ICMP proxy feature is disabled")
 	} else {
 		tunnelConfig.ICMPRouterServer = icmpRouter
 	}
 	orchestratorConfig := &orchestration.Config{
 		Ingress:            &ingressRules,
 		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
 		ConfigurationFlags: parseConfigFlags(c),
 		WriteTimeout:       tunnelConfig.WriteStreamTimeout,
 	}
 	return tunnelConfig, orchestratorConfig, nil
 }
@ -377,38 +282,15 @@ func parseConfigFlags(c *cli.Context) map[string]string {
 }
 func gracePeriod(c *cli.Context) (time.Duration, error) {
-	period := c.Duration("grace-period")
+	period := c.Duration(flags.GracePeriod)
 	if period > connection.MaxGracePeriod {
-		return time.Duration(0), fmt.Errorf("grace-period must be equal or less than %v", connection.MaxGracePeriod)
+		return time.Duration(0), fmt.Errorf("%s must be equal or less than %v", flags.GracePeriod, connection.MaxGracePeriod)
 	}
 	return period, nil
 }
 func isWarpRoutingEnabled(warpConfig config.WarpRoutingConfig, isNamedTunnel bool) bool {
 	return warpConfig.Enabled && isNamedTunnel
 }
 func isRunningFromTerminal() bool {
-	return terminal.IsTerminal(int(os.Stdout.Fd()))
+	return term.IsTerminal(int(os.Stdout.Fd()))
 }
 // Remove any duplicates from the slice
 func dedup(slice []string) []string {
 	// Convert the slice into a set
 	set := make(map[string]bool, 0)
 	for _, str := range slice {
 		set[str] = true
 	}
 	// Convert the set back into a slice
 	keys := make([]string, len(set))
 	i := 0
 	for str := range set {
 		keys[i] = str
 		i++
 	}
 	return keys
 }
 // ParseConfigIPVersion returns the IP version from possible expected values from config
@ -425,3 +307,197 @@ func parseConfigIPVersion(version string) (v allregions.ConfigIPVersion, err err
 	}
 	return
 }
 func parseConfigBindAddress(ipstr string) (net.IP, error) {
 	// Unspecified - it's fine
 	if ipstr == "" {
 		return nil, nil
 	}
 	ip := net.ParseIP(ipstr)
 	if ip == nil {
 		return nil, fmt.Errorf("invalid value for edge-bind-address: %s", ipstr)
 	}
 	return ip, nil
 }
 func testIPBindable(ip net.IP) error {
 	// "Unspecified" = let OS choose, so always bindable
 	if ip == nil {
 		return nil
 	}
 	addr := &net.UDPAddr{IP: ip, Port: 0}
 	listener, err := net.ListenUDP("udp", addr)
 	if err != nil {
 		return err
 	}
 	listener.Close()
 	return nil
 }
 func adjustIPVersionByBindAddress(ipVersion allregions.ConfigIPVersion, ip net.IP) (allregions.ConfigIPVersion, error) {
 	if ip == nil {
 		return ipVersion, nil
 	}
 	// https://pkg.go.dev/net#IP.To4: "If ip is not an IPv4 address, To4 returns nil."
 	if ip.To4() != nil {
 		if ipVersion == allregions.IPv6Only {
 			return allregions.IPv4Only, fmt.Errorf("IPv4 bind address is specified, but edge-ip-version is IPv6")
 		}
 		return allregions.IPv4Only, nil
 	} else {
 		if ipVersion == allregions.IPv4Only {
 			return allregions.IPv6Only, fmt.Errorf("IPv6 bind address is specified, but edge-ip-version is IPv4")
 		}
 		return allregions.IPv6Only, nil
 	}
 }
 func newICMPRouter(c *cli.Context, logger *zerolog.Logger) (ingress.ICMPRouterServer, error) {
 	ipv4Src, ipv6Src, err := determineICMPSources(c, logger)
 	if err != nil {
 		return nil, err
 	}
 	icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, logger, icmpFunnelTimeout)
 	if err != nil {
 		return nil, err
 	}
 	return icmpRouter, nil
 }
 func determineICMPSources(c *cli.Context, logger *zerolog.Logger) (netip.Addr, netip.Addr, error) {
 	ipv4Src, err := determineICMPv4Src(c.String(flags.ICMPV4Src), logger)
 	if err != nil {
 		return netip.Addr{}, netip.Addr{}, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
 	}
 	logger.Info().Msgf("ICMP proxy will use %s as source for IPv4", ipv4Src)
 	ipv6Src, zone, err := determineICMPv6Src(c.String(flags.ICMPV6Src), logger, ipv4Src)
 	if err != nil {
 		return netip.Addr{}, netip.Addr{}, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
 	}
 	if zone != "" {
 		logger.Info().Msgf("ICMP proxy will use %s in zone %s as source for IPv6", ipv6Src, zone)
 	} else {
 		logger.Info().Msgf("ICMP proxy will use %s as source for IPv6", ipv6Src)
 	}
 	return ipv4Src, ipv6Src, nil
 }
 func determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) {
 	if userDefinedSrc != "" {
 		addr, err := netip.ParseAddr(userDefinedSrc)
 		if err != nil {
 			return netip.Addr{}, err
 		}
 		if addr.Is4() {
 			return addr, nil
 		}
 		return netip.Addr{}, fmt.Errorf("expect IPv4, but %s is IPv6", userDefinedSrc)
 	}
 	addr, err := findLocalAddr(net.ParseIP("192.168.0.1"), 53)
 	if err != nil {
 		addr = netip.IPv4Unspecified()
 		logger.Debug().Err(err).Msgf("Failed to determine the IPv4 for this machine. It will use %s to send/listen for ICMPv4 echo", addr)
 	}
 	return addr, nil
 }
 type interfaceIP struct {
 	name string
 	ip   net.IP
 }
 func determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) {
 	if userDefinedSrc != "" {
 		addr, err := netip.ParseAddr(userDefinedSrc)
 		if err != nil {
 			return netip.Addr{}, "", err
 		}
 		if addr.Is6() {
 			return addr, addr.Zone(), nil
 		}
 		return netip.Addr{}, "", fmt.Errorf("expect IPv6, but %s is IPv4", userDefinedSrc)
 	}
 	// Loop through all the interfaces, the preference is
 	// 1. The interface where ipv4Src is in
 	// 2. Interface with IPv6 address
 	// 3. Unspecified interface
 	interfaces, err := net.Interfaces()
 	if err != nil {
 		return netip.IPv6Unspecified(), "", nil
 	}
 	interfacesWithIPv6 := make([]interfaceIP, 0)
 	for _, interf := range interfaces {
 		interfaceAddrs, err := interf.Addrs()
 		if err != nil {
 			continue
 		}
 		foundIPv4SrcInterface := false
 		for _, interfaceAddr := range interfaceAddrs {
 			if ipnet, ok := interfaceAddr.(*net.IPNet); ok {
 				ip := ipnet.IP
 				if ip.Equal(ipv4Src.AsSlice()) {
 					foundIPv4SrcInterface = true
 				}
 				if ip.To4() == nil {
 					interfacesWithIPv6 = append(interfacesWithIPv6, interfaceIP{
 						name: interf.Name,
 						ip:   ip,
 					})
 				}
 			}
 		}
 		// Found the interface of ipv4Src. Loop through the addresses to see if there is an IPv6
 		if foundIPv4SrcInterface {
 			for _, interfaceAddr := range interfaceAddrs {
 				if ipnet, ok := interfaceAddr.(*net.IPNet); ok {
 					ip := ipnet.IP
 					if ip.To4() == nil {
 						addr, err := netip.ParseAddr(ip.String())
 						if err == nil {
 							return addr, interf.Name, nil
 						}
 					}
 				}
 			}
 		}
 	}
 	for _, interf := range interfacesWithIPv6 {
 		addr, err := netip.ParseAddr(interf.ip.String())
 		if err == nil {
 			return addr, interf.name, nil
 		}
 	}
 	logger.Debug().Err(err).Msgf("Failed to determine the IPv6 for this machine. It will use %s to send/listen for ICMPv6 echo", netip.IPv6Unspecified())
 	return netip.IPv6Unspecified(), "", nil
 }
 // FindLocalAddr tries to dial UDP and returns the local address picked by the OS
 func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
 	udpConn, err := net.DialUDP("udp", nil, &net.UDPAddr{
 		IP:   dst,
 		Port: port,
 	})
 	if err != nil {
 		return netip.Addr{}, err
 	}
 	defer udpConn.Close()
 	localAddrPort, err := netip.ParseAddrPort(udpConn.LocalAddr().String())
 	if err != nil {
 		return netip.Addr{}, err
 	}
 	localAddr := localAddrPort.Addr()
 	return localAddr, nil
 }
--- a/cmd/cloudflared/tunnel/configuration_test.go
+++ b/cmd/cloudflared/tunnel/configuration_test.go
@ -1,5 +1,4 @@
 //go:build ignore
 // +build ignore
 // TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+
@ -9,6 +8,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"net"
 	"os"
 	"testing"
@ -214,3 +214,23 @@ func getCertPoolSubjects(certPool *x509.CertPool) ([]*pkix.Name, error) {
 func isUnrecoverableError(err error) bool {
 	return err != nil && err.Error() != "crypto/x509: system root pool is not available on Windows"
 }
 func TestTestIPBindable(t *testing.T) {
 	assert.Nil(t, testIPBindable(nil))
 	// Public services - if one of these IPs is on the machine, the test environment is too weird
 	assert.NotNil(t, testIPBindable(net.ParseIP("8.8.8.8")))
 	assert.NotNil(t, testIPBindable(net.ParseIP("1.1.1.1")))
 	addrs, err := net.InterfaceAddrs()
 	if err != nil {
 		t.Fatal(err)
 	}
 	for i, addr := range addrs {
 		if i >= 3 {
 			break
 		}
 		ip := addr.(*net.IPNet).IP
 		assert.Nil(t, testIPBindable(ip))
 	}
 }
--- a/cmd/cloudflared/tunnel/credential_finder.go
+++ b/cmd/cloudflared/tunnel/credential_finder.go
@ -4,7 +4,9 @@ import (
 	"fmt"
 	"path/filepath"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
@ -56,13 +58,13 @@ func newSearchByID(id uuid.UUID, c *cli.Context, log *zerolog.Logger, fs fileSys
 }
 func (s searchByID) Path() (string, error) {
-	originCertPath := s.c.String("origincert")
+	originCertPath := s.c.String(cfdflags.OriginCert)
 	originCertLog := s.log.With().
-		Str(LogFieldOriginCertPath, originCertPath).
+		Str("originCertPath", originCertPath).
 		Logger()
 	// Fallback to look for tunnel credentials in the origin cert directory
-	if originCertPath, err := findOriginCert(originCertPath, &originCertLog); err == nil {
+	if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
 		originCertDir := filepath.Dir(originCertPath)
 		if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
 			if s.fs.validFilePath(filePath) {
--- a/cmd/cloudflared/tunnel/filesystem.go
+++ b/cmd/cloudflared/tunnel/filesystem.go
@ -1,7 +1,6 @@
 package tunnel
 import (
 	"io/ioutil"
 	"os"
 )
@ -23,5 +22,5 @@ func (fs realFileSystem) validFilePath(path string) bool {
 }
 func (fs realFileSystem) readFile(filePath string) ([]byte, error) {
-	return ioutil.ReadFile(filePath)
+	return os.ReadFile(filePath)
 }
--- a/cmd/cloudflared/tunnel/ingress_subcommands.go
+++ b/cmd/cloudflared/tunnel/ingress_subcommands.go
@ -139,7 +139,7 @@ func testURLCommand(c *cli.Context) error {
 	}
 	_, i := ing.FindMatchingRule(requestURL.Hostname(), requestURL.Path)
-	fmt.Printf("Matched rule #%d\n", i+1)
+	fmt.Printf("Matched rule #%d\n", i)
 	fmt.Println(ing.Rules[i].MultiLineString())
 	return nil
 }
--- a/cmd/cloudflared/tunnel/login.go
+++ b/cmd/cloudflared/tunnel/login.go
@ -2,7 +2,6 @@ package tunnel
 import (
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"path/filepath"
@ -14,13 +13,38 @@ import (
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/token"
 )
 const (
-	baseLoginURL     = "https://dash.cloudflare.com/argotunnel"
+	baseLoginURL = "https://dash.cloudflare.com/argotunnel"
-	callbackStoreURL = "https://login.cloudflareaccess.org/"
+	callbackURL  = "https://login.cloudflareaccess.org/"
 	// For now these are the same but will change in the future once we know which URLs to use (TUN-8872)
 	fedBaseLoginURL      = "https://dash.cloudflare.com/argotunnel"
 	fedCallbackStoreURL  = "https://login.cloudflareaccess.org/"
 	fedRAMPParamName     = "fedramp"
 	loginURLParamName    = "loginURL"
 	callbackURLParamName = "callbackURL"
 )
 var (
 	loginURL = &cli.StringFlag{
 		Name:  loginURLParamName,
 		Value: baseLoginURL,
 		Usage: "The URL used to login (default is https://dash.cloudflare.com/argotunnel)",
 	}
 	callbackStore = &cli.StringFlag{
 		Name:  callbackURLParamName,
 		Value: callbackURL,
 		Usage: "The URL used for the callback (default is https://login.cloudflareaccess.org/)",
 	}
 	fedramp = &cli.BoolFlag{
 		Name:    fedRAMPParamName,
 		Aliases: []string{"f"},
 		Usage:   "Login with FedRAMP High environment.",
 	}
 )
 func buildLoginSubcommand(hidden bool) *cli.Command {
@ -30,6 +54,11 @@ func buildLoginSubcommand(hidden bool) *cli.Command {
 		Usage:     "Generate a configuration file with your login details",
 		ArgsUsage: " ",
 		Hidden:    hidden,
 		Flags: []cli.Flag{
 			loginURL,
 			callbackStore,
 			fedramp,
 		},
 	}
 }
@ -38,20 +67,31 @@ func login(c *cli.Context) error {
 	path, ok, err := checkForExistingCert()
 	if ok {
-		fmt.Fprintf(os.Stdout, "You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path)
+		log.Error().Err(err).Msgf("You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path)
 		return nil
 	} else if err != nil {
 		return err
 	}
-	loginURL, err := url.Parse(baseLoginURL)
+	var (
 		baseloginURL     = c.String(loginURLParamName)
 		callbackStoreURL = c.String(callbackURLParamName)
 	)
 	isFEDRamp := c.Bool(fedRAMPParamName)
 	if isFEDRamp {
 		baseloginURL = fedBaseLoginURL
 		callbackStoreURL = fedCallbackStoreURL
 	}
 	loginURL, err := url.Parse(baseloginURL)
 	if err != nil {
 		// shouldn't happen, URL is hardcoded
 		return err
 	}
 	resourceData, err := token.RunTransfer(
 		loginURL,
 		"",
 		"cert",
 		"callback",
 		callbackStoreURL,
@ -60,15 +100,31 @@ func login(c *cli.Context) error {
 		log,
 	)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "Failed to write the certificate due to the following error:\n%v\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", err, path)
+		log.Error().Err(err).Msgf("Failed to write the certificate.\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", path)
 		return err
 	}
-	if err := ioutil.WriteFile(path, resourceData, 0600); err != nil {
+	cert, err := credentials.DecodeOriginCert(resourceData)
 	if err != nil {
 		log.Error().Err(err).Msg("failed to decode origin certificate")
 		return err
 	}
 	if isFEDRamp {
 		cert.Endpoint = credentials.FedEndpoint
 	}
 	resourceData, err = cert.EncodeOriginCert()
 	if err != nil {
 		log.Error().Err(err).Msg("failed to encode origin certificate")
 		return err
 	}
 	if err := os.WriteFile(path, resourceData, 0600); err != nil {
 		return errors.Wrap(err, fmt.Sprintf("error writing cert to %s", path))
 	}
-	fmt.Fprintf(os.Stdout, "You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path)
+	log.Info().Msgf("You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path)
 	return nil
 }
@ -85,7 +141,7 @@ func checkForExistingCert() (string, bool, error) {
 	if err != nil {
 		return "", false, err
 	}
-	path := filepath.Join(configPath, config.DefaultCredentialFile)
+	path := filepath.Join(configPath, credentials.DefaultCredentialFile)
 	fileInfo, err := os.Stat(path)
 	if err == nil && fileInfo.Size() > 0 {
 		return path, true, nil
--- a/cmd/cloudflared/tunnel/quick_tunnel.go
+++ b/cmd/cloudflared/tunnel/quick_tunnel.go
@ -3,6 +3,7 @@ package tunnel
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
 	"time"
@ -10,15 +11,13 @@ import (
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/connection"
 )
 const httpTimeout = 15 * time.Second
-const disclaimer = "Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to" +
+const disclaimer = "Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee, are subject to the Cloudflare Online Services Terms of Use (https://www.cloudflare.com/website-terms/), and Cloudflare reserves the right to investigate your use of Tunnels for violations of such terms. If you intend to use Tunnels in production you should use a pre-created named tunnel by following: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps"
 	" experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee. If you " +
 	"intend to use Tunnels in production you should use a pre-created named tunnel by following: " +
 	"https://developers.cloudflare.com/cloudflare-one/connections/connect-apps"
 // RunQuickTunnel requests a tunnel from the specified service.
 // We use this to power quick tunnels on trycloudflare.com, but the
@ -35,14 +34,29 @@ func RunQuickTunnel(sc *subcommandContext) error {
 		Timeout: httpTimeout,
 	}
-	resp, err := client.Post(fmt.Sprintf("%s/tunnel", sc.c.String("quick-service")), "application/json", nil)
+	req, err := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/tunnel", sc.c.String("quick-service")), nil)
 	if err != nil {
 		return errors.Wrap(err, "failed to build quick tunnel request")
 	}
 	req.Header.Add("Content-Type", "application/json")
 	req.Header.Add("User-Agent", buildInfo.UserAgent())
 	resp, err := client.Do(req)
 	if err != nil {
 		return errors.Wrap(err, "failed to request quick Tunnel")
 	}
 	defer resp.Body.Close()
 	// This will read the entire response into memory so we can print it in case of error
 	rsp_body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return errors.Wrap(err, "failed to read quick-tunnel response")
 	}
 	var data QuickTunnelResponse
-	if err := json.NewDecoder(resp.Body).Decode(&data); err != nil {
+	if err := json.Unmarshal(rsp_body, &data); err != nil {
 		rsp_string := string(rsp_body)
 		fields := map[string]interface{}{"status_code": resp.Status}
 		sc.log.Err(err).Fields(fields).Msgf("Error unmarshaling QuickTunnel response: %s", rsp_string)
 		return errors.Wrap(err, "failed to unmarshal quick Tunnel")
 	}
@ -69,16 +83,18 @@ func RunQuickTunnel(sc *subcommandContext) error {
 		sc.log.Info().Msg(line)
 	}
-	if !sc.c.IsSet("protocol") {
+	if !sc.c.IsSet(flags.Protocol) {
-		sc.c.Set("protocol", "quic")
+		_ = sc.c.Set(flags.Protocol, "quic")
 	}
 	// Override the number of connections used. Quick tunnels shouldn't be used for production usage,
 	// so, use a single connection instead.
 	_ = sc.c.Set(flags.HaConnections, "1")
 	return StartServer(
 		sc.c,
 		buildInfo,
-		&connection.NamedTunnelProperties{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},
+		&connection.TunnelProperties{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},
 		sc.log,
 		sc.isUIEnabled,
 	)
 }
--- a/cmd/cloudflared/tunnel/signal_test.go
+++ b/cmd/cloudflared/tunnel/signal_test.go
@ -1,5 +1,4 @@
 //go:build !windows
 // +build !windows
 package tunnel
--- a/cmd/cloudflared/tunnel/subcommand_context.go
+++ b/cmd/cloudflared/tunnel/subcommand_context.go
@ -9,119 +9,93 @@ import (
 	"strings"
 	"github.com/google/uuid"
 	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/certutil"
 	"github.com/cloudflare/cloudflared/cfapi"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 )
-type errInvalidJSONCredential struct {
+const fedRampBaseApiURL = "https://api.fed.cloudflare.com/client/v4"
 type invalidJSONCredentialError struct {
 	err  error
 	path string
 }
-func (e errInvalidJSONCredential) Error() string {
+func (e invalidJSONCredentialError) Error() string {
 	return "Invalid JSON when parsing tunnel credentials file"
 }
 // subcommandContext carries structs shared between subcommands, to reduce number of arguments needed to
 // pass between subcommands, and make sure they are only initialized once
 type subcommandContext struct {
-	c           *cli.Context
+	c   *cli.Context
-	log         *zerolog.Logger
+	log *zerolog.Logger
-	isUIEnabled bool
+	fs  fileSystem
 	fs          fileSystem
 	// These fields should be accessed using their respective Getter
 	tunnelstoreClient cfapi.Client
-	userCredential    *userCredential
+	userCredential    *credentials.User
 }
 func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
 	isUIEnabled := c.IsSet(uiFlag) && c.String("name") != ""
 	// If UI is enabled, terminal log output should be disabled -- log should be written into a UI log window instead
 	log := logger.CreateLoggerFromContext(c, isUIEnabled)
 	return &subcommandContext{
-		c:           c,
+		c:   c,
-		log:         log,
+		log: logger.CreateLoggerFromContext(c, logger.EnableTerminalLog),
-		isUIEnabled: isUIEnabled,
+		fs:  realFileSystem{},
 		fs:          realFileSystem{},
 	}, nil
 }
 // Returns something that can find the given tunnel's credentials file.
 func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {
 	if path := sc.c.String(CredFileFlag); path != "" {
-		return newStaticPath(path, sc.fs)
+		// Expand path if CredFileFlag contains `~`
 		absPath, err := homedir.Expand(path)
 		if err != nil {
 			return newStaticPath(path, sc.fs)
 		}
 		return newStaticPath(absPath, sc.fs)
 	}
 	return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
 }
 type userCredential struct {
 	cert     *certutil.OriginCert
 	certPath string
 }
 func (sc *subcommandContext) client() (cfapi.Client, error) {
 	if sc.tunnelstoreClient != nil {
 		return sc.tunnelstoreClient, nil
 	}
-	credential, err := sc.credential()
+	cred, err := sc.credential()
 	if err != nil {
 		return nil, err
 	}
 	userAgent := fmt.Sprintf("cloudflared/%s", buildInfo.Version())
 	client, err := cfapi.NewRESTClient(
 		sc.c.String("api-url"),
 		credential.cert.AccountID,
 		credential.cert.ZoneID,
 		credential.cert.ServiceKey,
 		userAgent,
 		sc.log,
 	)
 	var apiURL string
 	if cred.IsFEDEndpoint() {
 		sc.log.Info().Str("api-url", fedRampBaseApiURL).Msg("using fedramp base api")
 		apiURL = fedRampBaseApiURL
 	} else {
 		apiURL = sc.c.String(cfdflags.ApiURL)
 	}
 	sc.tunnelstoreClient, err = cred.Client(apiURL, buildInfo.UserAgent(), sc.log)
 	if err != nil {
 		return nil, err
 	}
-	sc.tunnelstoreClient = client
+	return sc.tunnelstoreClient, nil
 	return client, nil
 }
-func (sc *subcommandContext) credential() (*userCredential, error) {
+func (sc *subcommandContext) credential() (*credentials.User, error) {
 	if sc.userCredential == nil {
-		originCertPath := sc.c.String("origincert")
+		uc, err := credentials.Read(sc.c.String(cfdflags.OriginCert), sc.log)
 		originCertLog := sc.log.With().
 			Str(LogFieldOriginCertPath, originCertPath).
 			Logger()
 		originCertPath, err := findOriginCert(originCertPath, &originCertLog)
 		if err != nil {
-			return nil, errors.Wrap(err, "Error locating origin cert")
+			return nil, err
 		}
 		blocks, err := readOriginCert(originCertPath)
 		if err != nil {
 			return nil, errors.Wrapf(err, "Can't read origin cert from %s", originCertPath)
 		}
 		cert, err := certutil.DecodeOriginCert(blocks)
 		if err != nil {
 			return nil, errors.Wrap(err, "Error decoding origin cert")
 		}
 		if cert.AccountID == "" {
 			return nil, errors.Errorf(`Origin certificate needs to be refreshed before creating new tunnels.\nDelete %s and run "cloudflared login" to obtain a new cert.`, originCertPath)
 		}
 		sc.userCredential = &userCredential{
 			cert:     cert,
 			certPath: originCertPath,
 		}
 		sc.userCredential = uc
 	}
 	return sc.userCredential, nil
 }
@ -138,13 +112,13 @@ func (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (conne
 	var credentials connection.Credentials
 	if err = json.Unmarshal(body, &credentials); err != nil {
-		if strings.HasSuffix(filePath, ".pem") {
+		if filepath.Ext(filePath) == ".pem" {
 			return connection.Credentials{}, fmt.Errorf("The tunnel credentials file should be .json but you gave a .pem. " +
 				"The tunnel credentials file was originally created by `cloudflared tunnel create`. " +
 				"You may have accidentally used the filepath to cert.pem, which is generated by `cloudflared tunnel " +
 				"login`.")
 		}
-		return connection.Credentials{}, errInvalidJSONCredential{path: filePath, err: err}
+		return connection.Credentials{}, invalidJSONCredentialError{path: filePath, err: err}
 	}
 	return credentials, nil
 }
@ -166,7 +140,7 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 		if err != nil {
 			return nil, errors.Wrap(err, "Couldn't decode tunnel secret from base64")
 		}
-		tunnelSecret = []byte(decodedSecret)
+		tunnelSecret = decodedSecret
 		if len(tunnelSecret) < 32 {
 			return nil, errors.New("Decoded tunnel secret must be at least 32 bytes long")
 		}
@ -182,13 +156,13 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 		return nil, err
 	}
 	tunnelCredentials := connection.Credentials{
-		AccountTag:   credential.cert.AccountID,
+		AccountTag:   credential.AccountID(),
 		TunnelSecret: tunnelSecret,
 		TunnelID:     tunnel.ID,
 	}
 	usedCertPath := false
 	if credentialsFilePath == "" {
-		originCertDir := filepath.Dir(credential.certPath)
+		originCertDir := filepath.Dir(credential.CertPath())
 		credentialsFilePath, err = tunnelFilePath(tunnelCredentials.TunnelID, originCertDir)
 		if err != nil {
 			return nil, err
@ -200,11 +174,11 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 		var errorLines []string
 		errorLines = append(errorLines, fmt.Sprintf("Your tunnel '%v' was created with ID %v. However, cloudflared couldn't write tunnel credentials to %s.", tunnel.Name, tunnel.ID, credentialsFilePath))
 		errorLines = append(errorLines, fmt.Sprintf("The file-writing error is: %v", writeFileErr))
-		if deleteErr := client.DeleteTunnel(tunnel.ID); deleteErr != nil {
+		if deleteErr := client.DeleteTunnel(tunnel.ID, true); deleteErr != nil {
 			errorLines = append(errorLines, fmt.Sprintf("Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.", tunnel.ID))
 			errorLines = append(errorLines, fmt.Sprintf("The delete tunnel error is: %v", deleteErr))
 		} else {
-			errorLines = append(errorLines, fmt.Sprintf("The tunnel was deleted, because the tunnel can't be run without the credentials file"))
+			errorLines = append(errorLines, "The tunnel was deleted, because the tunnel can't be run without the credentials file")
 		}
 		errorMsg := strings.Join(errorLines, "\n")
 		return nil, errors.New(errorMsg)
@ -233,7 +207,7 @@ func (sc *subcommandContext) list(filter *cfapi.TunnelFilter) ([]*cfapi.Tunnel,
 }
 func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
-	forceFlagSet := sc.c.Bool("force")
+	forceFlagSet := sc.c.Bool(cfdflags.Force)
 	client, err := sc.client()
 	if err != nil {
@ -250,13 +224,8 @@ func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
 		if !tunnel.DeletedAt.IsZero() {
 			return fmt.Errorf("Tunnel %s has already been deleted", tunnel.ID)
 		}
 		if forceFlagSet {
 			if err := client.CleanupConnections(tunnel.ID, cfapi.NewCleanupParams()); err != nil {
 				return errors.Wrapf(err, "Error cleaning up connections for tunnel %s", tunnel.ID)
 			}
 		}
-		if err := client.DeleteTunnel(tunnel.ID); err != nil {
+		if err := client.DeleteTunnel(tunnel.ID, forceFlagSet); err != nil {
 			return errors.Wrapf(err, "Error deleting tunnel %s", tunnel.ID)
 		}
@ -278,7 +247,7 @@ func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Cre
 	var err error
 	if credentialsContents := sc.c.String(CredContentsFlag); credentialsContents != "" {
 		if err = json.Unmarshal([]byte(credentialsContents), &credentials); err != nil {
-			err = errInvalidJSONCredential{path: "TUNNEL_CRED_CONTENTS", err: err}
+			err = invalidJSONCredentialError{path: "TUNNEL_CRED_CONTENTS", err: err}
 		}
 	} else {
 		credFinder := sc.credentialFinder(tunnelID)
@ -294,7 +263,7 @@ func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Cre
 func (sc *subcommandContext) run(tunnelID uuid.UUID) error {
 	credentials, err := sc.findCredentials(tunnelID)
 	if err != nil {
-		if e, ok := err.(errInvalidJSONCredential); ok {
+		if e, ok := err.(invalidJSONCredentialError); ok {
 			sc.log.Error().Msgf("The credentials file at %s contained invalid JSON. This is probably caused by passing the wrong filepath. Reminder: the credentials file is a .json file created via `cloudflared tunnel create`.", e.path)
 			sc.log.Error().Msgf("Invalid JSON when parsing credentials file: %s", e.err.Error())
 		}
@ -310,9 +279,8 @@ func (sc *subcommandContext) runWithCredentials(credentials connection.Credentia
 	return StartServer(
 		sc.c,
 		buildInfo,
-		&connection.NamedTunnelProperties{Credentials: credentials},
+		&connection.TunnelProperties{Credentials: credentials},
 		sc.log,
 		sc.isUIEnabled,
 	)
 }
--- a/cmd/cloudflared/tunnel/subcommand_context_teamnet.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_teamnet.go
@ -1,6 +1,9 @@
 package tunnel
 import (
 	"net"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/cfapi"
@ -24,12 +27,12 @@ func (sc *subcommandContext) addRoute(newRoute cfapi.NewRoute) (cfapi.Route, err
 	return client.AddRoute(newRoute)
 }
-func (sc *subcommandContext) deleteRoute(params cfapi.DeleteRouteParams) error {
+func (sc *subcommandContext) deleteRoute(id uuid.UUID) error {
 	client, err := sc.client()
 	if err != nil {
 		return errors.Wrap(err, noClientMsg)
 	}
-	return client.DeleteRoute(params)
+	return client.DeleteRoute(id)
 }
 func (sc *subcommandContext) getRouteByIP(params cfapi.GetRouteByIpParams) (cfapi.DetailedRoute, error) {
@ -39,3 +42,25 @@ func (sc *subcommandContext) getRouteByIP(params cfapi.GetRouteByIpParams) (cfap
 	}
 	return client.GetByIP(params)
 }
 func (sc *subcommandContext) getRouteId(network net.IPNet, vnetId *uuid.UUID) (uuid.UUID, error) {
 	filters := cfapi.NewIPRouteFilter()
 	filters.NotDeleted()
 	filters.NetworkIsSubsetOf(network)
 	filters.NetworkIsSupersetOf(network)
 	if vnetId != nil {
 		filters.VNetID(*vnetId)
 	}
 	result, err := sc.listRoutes(filters)
 	if err != nil {
 		return uuid.Nil, err
 	}
 	if len(result) != 1 {
 		return uuid.Nil, errors.New("unable to find route for provided network and vnet")
 	}
 	return result[0].ID, nil
 }
--- a/cmd/cloudflared/tunnel/subcommand_context_test.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_test.go
@ -16,6 +16,7 @@ import (
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 )
 type mockFileSystem struct {
@ -35,10 +36,9 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
 	type fields struct {
 		c                 *cli.Context
 		log               *zerolog.Logger
 		isUIEnabled       bool
 		fs                fileSystem
 		tunnelstoreClient cfapi.Client
-		userCredential    *userCredential
+		userCredential    *credentials.User
 	}
 	type args struct {
 		tunnelID uuid.UUID
@ -168,7 +168,6 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
 			sc := &subcommandContext{
 				c:                 tt.fields.c,
 				log:               tt.fields.log,
 				isUIEnabled:       tt.fields.isUIEnabled,
 				fs:                tt.fields.fs,
 				tunnelstoreClient: tt.fields.tunnelstoreClient,
 				userCredential:    tt.fields.userCredential,
@ -220,7 +219,7 @@ func (d *deleteMockTunnelStore) GetTunnelToken(tunnelID uuid.UUID) (string, erro
 	return "token", nil
 }
-func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID) error {
+func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
 	tunnel, ok := d.mockTunnels[tunnelID]
 	if !ok {
 		return fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
@ -251,7 +250,7 @@ func Test_subcommandContext_Delete(t *testing.T) {
 		isUIEnabled       bool
 		fs                fileSystem
 		tunnelstoreClient *deleteMockTunnelStore
-		userCredential    *userCredential
+		userCredential    *credentials.User
 	}
 	type args struct {
 		tunnelIDs []uuid.UUID
@ -307,7 +306,6 @@ func Test_subcommandContext_Delete(t *testing.T) {
 			sc := &subcommandContext{
 				c:                 tt.fields.c,
 				log:               tt.fields.log,
 				isUIEnabled:       tt.fields.isUIEnabled,
 				fs:                tt.fields.fs,
 				tunnelstoreClient: tt.fields.tunnelstoreClient,
 				userCredential:    tt.fields.userCredential,
--- a/cmd/cloudflared/tunnel/subcommand_context_vnets.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_vnets.go
@ -23,12 +23,12 @@ func (sc *subcommandContext) listVirtualNetworks(filter *cfapi.VnetFilter) ([]*c
 	return client.ListVirtualNetworks(filter)
 }
-func (sc *subcommandContext) deleteVirtualNetwork(vnetId uuid.UUID) error {
+func (sc *subcommandContext) deleteVirtualNetwork(vnetId uuid.UUID, force bool) error {
 	client, err := sc.client()
 	if err != nil {
 		return errors.Wrap(err, noClientMsg)
 	}
-	return client.DeleteVirtualNetwork(vnetId)
+	return client.DeleteVirtualNetwork(vnetId, force)
 }
 func (sc *subcommandContext) updateVirtualNetwork(vnetId uuid.UUID, updates cfapi.UpdateVirtualNetwork) error {
--- a/cmd/cloudflared/tunnel/subcommands.go
+++ b/cmd/cloudflared/tunnel/subcommands.go
@ -5,7 +5,8 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"path/filepath"
 	"regexp"
@ -15,28 +16,40 @@ import (
 	"time"
 	"github.com/google/uuid"
-	homedir "github.com/mitchellh/go-homedir"
+	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/net/idna"
-	yaml "gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v3"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/diagnostic"
 	"github.com/cloudflare/cloudflared/fips"
 	"github.com/cloudflare/cloudflared/metrics"
 )
 const (
-	allSortByOptions     = "name, id, createdAt, deletedAt, numConnections"
+	allSortByOptions        = "name, id, createdAt, deletedAt, numConnections"
-	connsSortByOptions   = "id, startedAt, numConnections, version"
+	connsSortByOptions      = "id, startedAt, numConnections, version"
-	CredFileFlagAlias    = "cred-file"
+	CredFileFlagAlias       = "cred-file"
-	CredFileFlag         = "credentials-file"
+	CredFileFlag            = "credentials-file"
-	CredContentsFlag     = "credentials-contents"
+	CredContentsFlag        = "credentials-contents"
-	TunnelTokenFlag      = "token"
+	TunnelTokenFlag         = "token"
-	overwriteDNSFlagName = "overwrite-dns"
+	TunnelTokenFileFlag     = "token-file"
 	overwriteDNSFlagName    = "overwrite-dns"
 	noDiagLogsFlagName      = "no-diag-logs"
 	noDiagMetricsFlagName   = "no-diag-metrics"
 	noDiagSystemFlagName    = "no-diag-system"
 	noDiagRuntimeFlagName   = "no-diag-runtime"
 	noDiagNetworkFlagName   = "no-diag-network"
 	diagContainerIDFlagName = "diag-container-id"
 	diagPodFlagName         = "diag-pod-id"
 	LogFieldTunnelID = "tunnelID"
 )
@ -48,7 +61,7 @@ var (
 		Usage:   "Include deleted tunnels in the list",
 	}
 	listNameFlag = &cli.StringFlag{
-		Name:    "name",
+		Name:    flags.Name,
 		Aliases: []string{"n"},
 		Usage:   "List tunnels with the given `NAME`",
 	}
@ -95,16 +108,8 @@ var (
 		Usage:   "Inverts the sort order of the tunnel list.",
 		EnvVars: []string{"TUNNEL_LIST_INVERT_SORT"},
 	}
 	forceFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
 		Name:    "force",
 		Aliases: []string{"f"},
 		Usage: "By default, if a tunnel is currently being run from a cloudflared, you can't " +
 			"simultaneously rerun it again from a second cloudflared. The --force flag lets you " +
 			"overwrite the previous tunnel. If you want to use a single hostname with multiple " +
 			"tunnels, you can do so with Cloudflare's Load Balancer product.",
 	})
 	featuresFlag = altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-		Name:    "features",
+		Name:    flags.Features,
 		Aliases: []string{"F"},
 		Usage:   "Opt into various features that are still being developed or tested.",
 	})
@ -122,24 +127,36 @@ var (
 	})
 	tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFlag,
-		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence.",
+		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence. Also takes precedence over token-file",
 		EnvVars: []string{"TUNNEL_TOKEN"},
 	})
 	tunnelTokenFileFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFileFlag,
 		Usage:   "Filepath at which to read the tunnel token. When provided along with credentials, this will take precedence.",
 		EnvVars: []string{"TUNNEL_TOKEN_FILE"},
 	})
 	forceDeleteFlag = &cli.BoolFlag{
-		Name:    "force",
+		Name:    flags.Force,
 		Aliases: []string{"f"},
-		Usage: "Cleans up any stale connections before the tunnel is deleted. cloudflared will not " +
+		Usage: "Deletes a tunnel even if tunnel is connected and it has dependencies associated to it. (eg. IP routes)." +
-			"delete a tunnel with connections without this flag.",
+			" It is not possible to delete tunnels that have connections or non-deleted dependencies, without this flag.",
 		EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"},
 	}
 	selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{
-		Name:    "protocol",
+		Name:    flags.Protocol,
 		Value:   connection.AutoSelectFlag,
 		Aliases: []string{"p"},
 		Usage:   fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage),
 		EnvVars: []string{"TUNNEL_TRANSPORT_PROTOCOL"},
 		Hidden:  true,
 	})
 	postQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
 		Name:    flags.PostQuantum,
 		Usage:   "When given creates an experimental post-quantum secure tunnel",
 		Aliases: []string{"pq"},
 		EnvVars: []string{"TUNNEL_POST_QUANTUM"},
 		Hidden:  fips.IsFipsEnabled(),
 	})
 	sortInfoByFlag = &cli.StringFlag{
 		Name:    "sort-by",
 		Value:   "createdAt",
@ -169,6 +186,61 @@ var (
 		Usage:   "Base64 encoded secret to set for the tunnel. The decoded secret must be at least 32 bytes long. If not specified, a random 32-byte secret will be generated.",
 		EnvVars: []string{"TUNNEL_CREATE_SECRET"},
 	}
 	icmpv4SrcFlag = &cli.StringFlag{
 		Name:    flags.ICMPV4Src,
 		Usage:   "Source address to send/receive ICMPv4 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to 0.0.0.0.",
 		EnvVars: []string{"TUNNEL_ICMPV4_SRC"},
 	}
 	icmpv6SrcFlag = &cli.StringFlag{
 		Name:    flags.ICMPV6Src,
 		Usage:   "Source address and the interface name to send/receive ICMPv6 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to ::.",
 		EnvVars: []string{"TUNNEL_ICMPV6_SRC"},
 	}
 	metricsFlag = &cli.StringFlag{
 		Name:  flags.Metrics,
 		Usage: "The metrics server address i.e.: 127.0.0.1:12345. If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.",
 		Value: "",
 	}
 	diagContainerFlag = &cli.StringFlag{
 		Name:  diagContainerIDFlagName,
 		Usage: "Container ID or Name to collect logs from",
 		Value: "",
 	}
 	diagPodFlag = &cli.StringFlag{
 		Name:  diagPodFlagName,
 		Usage: "Kubernetes POD to collect logs from",
 		Value: "",
 	}
 	noDiagLogsFlag = &cli.BoolFlag{
 		Name:  noDiagLogsFlagName,
 		Usage: "Log collection will not be performed",
 		Value: false,
 	}
 	noDiagMetricsFlag = &cli.BoolFlag{
 		Name:  noDiagMetricsFlagName,
 		Usage: "Metric collection will not be performed",
 		Value: false,
 	}
 	noDiagSystemFlag = &cli.BoolFlag{
 		Name:  noDiagSystemFlagName,
 		Usage: "System information collection will not be performed",
 		Value: false,
 	}
 	noDiagRuntimeFlag = &cli.BoolFlag{
 		Name:  noDiagRuntimeFlagName,
 		Usage: "Runtime information collection will not be performed",
 		Value: false,
 	}
 	noDiagNetworkFlag = &cli.BoolFlag{
 		Name:  noDiagNetworkFlagName,
 		Usage: "Network diagnostics won't be performed",
 		Value: false,
 	}
 	maxActiveFlowsFlag = &cli.Uint64Flag{
 		Name:    flags.MaxActiveFlows,
 		Usage:   "Overrides the remote configuration for max active private network flows (TCP/UDP) that this cloudflared instance supports",
 		EnvVars: []string{"TUNNEL_MAX_ACTIVE_FLOWS"},
 	}
 )
 func buildCreateCommand() *cli.Command {
@ -232,7 +304,7 @@ func writeTunnelCredentials(filePath string, credentials *connection.Credentials
 	if err != nil {
 		return errors.Wrap(err, "Unable to marshal tunnel credentials to JSON")
 	}
-	return ioutil.WriteFile(filePath, body, 400)
+	return os.WriteFile(filePath, body, 0400)
 }
 func buildListCommand() *cli.Command {
@ -271,7 +343,7 @@ func listCommand(c *cli.Context) error {
 	if !c.Bool("show-deleted") {
 		filter.NoDeleted()
 	}
-	if name := c.String("name"); name != "" {
+	if name := c.String(flags.Name); name != "" {
 		filter.ByName(name)
 	}
 	if namePrefix := c.String("name-prefix"); namePrefix != "" {
@ -365,7 +437,6 @@ func formatAndPrintTunnelList(tunnels []*cfapi.Tunnel, showRecentlyDisconnected
 }
 func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected bool) string {
 	// Count connections per colo
 	numConnsPerColo := make(map[string]uint, len(connections))
 	for _, connection := range connections {
@ -382,13 +453,51 @@ func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected boo
 	sort.Strings(sortedColos)
 	// Map each colo to its frequency, combine into output string.
-	var output []string
+	output := make([]string, 0, len(sortedColos))
 	for _, coloName := range sortedColos {
 		output = append(output, fmt.Sprintf("%dx%s", numConnsPerColo[coloName], coloName))
 	}
 	return strings.Join(output, ", ")
 }
 func buildReadyCommand() *cli.Command {
 	return &cli.Command{
 		Name:               "ready",
 		Action:             cliutil.ConfiguredAction(readyCommand),
 		Usage:              "Call /ready endpoint and return proper exit code",
 		UsageText:          "cloudflared tunnel [tunnel command options] ready [subcommand options]",
 		Description:        "cloudflared tunnel ready will return proper exit code based on the /ready endpoint",
 		Flags:              []cli.Flag{},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func readyCommand(c *cli.Context) error {
 	metricsOpts := c.String(flags.Metrics)
 	if !c.IsSet(flags.Metrics) {
 		return errors.New("--metrics has to be provided")
 	}
 	requestURL := fmt.Sprintf("http://%s/ready", metricsOpts)
 	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
 	if err != nil {
 		return err
 	}
 	res, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != 200 {
 		body, err := io.ReadAll(res.Body)
 		if err != nil {
 			return err
 		}
 		return fmt.Errorf("http://%s/ready endpoint returned status code %d\n%s", metricsOpts, res.StatusCode, body)
 	}
 	return nil
 }
 func buildInfoCommand() *cli.Command {
 	return &cli.Command{
 		Name:        "info",
@ -599,12 +708,16 @@ func renderOutput(format string, v interface{}) error {
 func buildRunCommand() *cli.Command {
 	flags := []cli.Flag{
 		forceFlag,
 		credentialsFileFlag,
 		credentialsContentsFlag,
 		postQuantumFlag,
 		selectProtocolFlag,
 		featuresFlag,
 		tunnelTokenFlag,
 		tunnelTokenFileFlag,
 		icmpv4SrcFlag,
 		icmpv6SrcFlag,
 		maxActiveFlowsFlag,
 	}
 	flags = append(flags, configureProxyFlags(false)...)
 	return &cli.Command{
@ -612,7 +725,7 @@ func buildRunCommand() *cli.Command {
 		Action:    cliutil.ConfiguredAction(runCommand),
 		Usage:     "Proxy a local web server by running the given tunnel",
 		UsageText: "cloudflared tunnel [tunnel command options] run [subcommand options] [TUNNEL]",
-		Description: `Runs the tunnel identified by name or UUUD, creating highly available connections
+		Description: `Runs the tunnel identified by name or UUID, creating highly available connections
  between your server and the Cloudflare edge. You can provide name or UUID of tunnel to run either as the
  last command line argument or in the configuration file using "tunnel: TUNNEL".
@ -642,12 +755,22 @@ func runCommand(c *cli.Context) error {
 			"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.")
 	}
 	tokenStr := c.String(TunnelTokenFlag)
 	// Check if tokenStr is blank before checking for tokenFile
 	if tokenStr == "" {
 		if tokenFile := c.String(TunnelTokenFileFlag); tokenFile != "" {
 			data, err := os.ReadFile(tokenFile)
 			if err != nil {
 				return cliutil.UsageError("Failed to read token file: " + err.Error())
 			}
 			tokenStr = strings.TrimSpace(string(data))
 		}
 	}
 	// Check if token is provided and if not use default tunnelID flag method
-	if tokenStr := c.String(TunnelTokenFlag); tokenStr != "" {
+	if tokenStr != "" {
 		if token, err := ParseToken(tokenStr); err == nil {
 			return sc.runWithCredentials(token.Credentials())
 		}
 		return cliutil.UsageError("Provided Tunnel token is not valid.")
 	} else {
 		tunnelRef := c.Args().First()
@ -763,7 +886,7 @@ func tokenCommand(c *cli.Context) error {
 		return err
 	}
-	fmt.Printf("%s", encodedToken)
+	fmt.Println(encodedToken)
 	return nil
 }
@ -801,7 +924,7 @@ Further information about managing Cloudflare WARP traffic to your tunnel is ava
 				Name:        "lb",
 				Action:      cliutil.ConfiguredAction(routeLbCommand),
 				Usage:       "Use this tunnel as a load balancer origin, creating pool and load balancer if necessary",
-				UsageText:   "cloudflared tunnel route dns [TUNNEL] [HOSTNAME] [LB-POOL]",
+				UsageText:   "cloudflared tunnel route lb [TUNNEL] [HOSTNAME] [LB-POOL-NAME]",
 				Description: `Creates Load Balancer with an origin pool that points to the tunnel.`,
 			},
 			buildRouteIPSubcommand(),
@ -852,8 +975,10 @@ func lbRouteFromArg(c *cli.Context) (cfapi.HostnameRoute, error) {
 	return cfapi.NewLBRoute(lbName, lbPool), nil
 }
-var nameRegex = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
+var (
-var hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
+	nameRegex     = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
 	hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
 )
 func validateName(s string, allowWildcardSubdomain bool) bool {
 	if allowWildcardSubdomain {
@ -921,7 +1046,7 @@ func commandHelpTemplate() string {
 	for _, f := range configureCloudflaredFlags(false) {
 		parentFlagsHelp += fmt.Sprintf(" %s\n\t", f)
 	}
-	for _, f := range configureLoggingFlags(false) {
+	for _, f := range cliutil.ConfigureLoggingFlags(false) {
 		parentFlagsHelp += fmt.Sprintf(" %s\n\t", f)
 	}
 	const template = `NAME:
@ -941,3 +1066,78 @@ SUBCOMMAND OPTIONS:
 `
 	return fmt.Sprintf(template, parentFlagsHelp)
 }
 func buildDiagCommand() *cli.Command {
 	return &cli.Command{
 		Name:        "diag",
 		Action:      cliutil.ConfiguredAction(diagCommand),
 		Usage:       "Creates a diagnostic report from a local cloudflared instance",
 		UsageText:   "cloudflared tunnel [tunnel command options] diag [subcommand options]",
 		Description: "cloudflared tunnel diag will create a diagnostic report of a local cloudflared instance. The diagnostic procedure collects: logs, metrics, system information, traceroute to Cloudflare Edge, and runtime information. Since there may be multiple instances of cloudflared running the --metrics option may be provided to target a specific instance.",
 		Flags: []cli.Flag{
 			metricsFlag,
 			diagContainerFlag,
 			diagPodFlag,
 			noDiagLogsFlag,
 			noDiagMetricsFlag,
 			noDiagSystemFlag,
 			noDiagRuntimeFlag,
 			noDiagNetworkFlag,
 		},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func diagCommand(ctx *cli.Context) error {
 	sctx, err := newSubcommandContext(ctx)
 	if err != nil {
 		return err
 	}
 	log := sctx.log
 	options := diagnostic.Options{
 		KnownAddresses: metrics.GetMetricsKnownAddresses(metrics.Runtime),
 		Address:        sctx.c.String(flags.Metrics),
 		ContainerID:    sctx.c.String(diagContainerIDFlagName),
 		PodID:          sctx.c.String(diagPodFlagName),
 		Toggles: diagnostic.Toggles{
 			NoDiagLogs:    sctx.c.Bool(noDiagLogsFlagName),
 			NoDiagMetrics: sctx.c.Bool(noDiagMetricsFlagName),
 			NoDiagSystem:  sctx.c.Bool(noDiagSystemFlagName),
 			NoDiagRuntime: sctx.c.Bool(noDiagRuntimeFlagName),
 			NoDiagNetwork: sctx.c.Bool(noDiagNetworkFlagName),
 		},
 	}
 	if options.Address == "" {
 		log.Info().Msg("If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.")
 	}
 	states, err := diagnostic.RunDiagnostic(log, options)
 	if errors.Is(err, diagnostic.ErrMetricsServerNotFound) {
 		log.Warn().Msg("No instances found")
 		return nil
 	}
 	if errors.Is(err, diagnostic.ErrMultipleMetricsServerFound) {
 		if states != nil {
 			log.Info().Msgf("Found multiple instances running:")
 			for _, state := range states {
 				log.Info().Msgf("Instance: tunnel-id=%s connector-id=%s metrics-address=%s", state.TunnelID, state.ConnectorID, state.URL.String())
 			}
 			log.Info().Msgf("To select one instance use the option --metrics")
 		}
 		return nil
 	}
 	if errors.Is(err, diagnostic.ErrLogConfigurationIsInvalid) {
 		log.Info().Msg("Couldn't extract logs from the instance. If the instance is running in a containerized environment use the option --diag-container-id or --diag-pod-id. If there is no logging configuration use --no-diag-logs.")
 	}
 	if err != nil {
 		log.Warn().Msg("Diagnostic completed with one or more errors")
 	} else {
 		log.Info().Msg("Diagnostic completed")
 	}
 	return nil
 }
--- a/cmd/cloudflared/tunnel/tag.go
+++ b/cmd/cloudflared/tunnel/tag.go
@ -4,23 +4,23 @@ import (
 	"fmt"
 	"regexp"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 // Restrict key names to characters allowed in an HTTP header name.
 // Restrict key values to printable characters (what is recognised as data in an HTTP header value).
 var tagRegexp = regexp.MustCompile("^([a-zA-Z0-9!#$%&'*+\\-.^_`|~]+)=([[:print:]]+)$")
-func NewTagFromCLI(compoundTag string) (tunnelpogs.Tag, bool) {
+func NewTagFromCLI(compoundTag string) (pogs.Tag, bool) {
 	matches := tagRegexp.FindStringSubmatch(compoundTag)
 	if len(matches) == 0 {
-		return tunnelpogs.Tag{}, false
+		return pogs.Tag{}, false
 	}
-	return tunnelpogs.Tag{Name: matches[1], Value: matches[2]}, true
+	return pogs.Tag{Name: matches[1], Value: matches[2]}, true
 }
-func NewTagSliceFromCLI(tags []string) ([]tunnelpogs.Tag, error) {
+func NewTagSliceFromCLI(tags []string) ([]pogs.Tag, error) {
-	var tagSlice []tunnelpogs.Tag
+	var tagSlice []pogs.Tag
 	for _, compoundTag := range tags {
 		if tag, ok := NewTagFromCLI(compoundTag); ok {
 			tagSlice = append(tagSlice, tag)
--- a/cmd/cloudflared/tunnel/tag_test.go
+++ b/cmd/cloudflared/tunnel/tag_test.go
@ -3,7 +3,7 @@ package tunnel
 import (
 	"testing"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 	"github.com/stretchr/testify/assert"
 )
@ -11,12 +11,12 @@ import (
 func TestSingleTag(t *testing.T) {
 	testCases := []struct {
 		Input  string
-		Output tunnelpogs.Tag
+		Output pogs.Tag
 		Fail   bool
 	}{
-		{Input: "x=y", Output: tunnelpogs.Tag{Name: "x", Value: "y"}},
+		{Input: "x=y", Output: pogs.Tag{Name: "x", Value: "y"}},
-		{Input: "More-Complex=Tag Values", Output: tunnelpogs.Tag{Name: "More-Complex", Value: "Tag Values"}},
+		{Input: "More-Complex=Tag Values", Output: pogs.Tag{Name: "More-Complex", Value: "Tag Values"}},
-		{Input: "First=Equals=Wins", Output: tunnelpogs.Tag{Name: "First", Value: "Equals=Wins"}},
+		{Input: "First=Equals=Wins", Output: pogs.Tag{Name: "First", Value: "Equals=Wins"}},
 		{Input: "x=", Fail: true},
 		{Input: "=y", Fail: true},
 		{Input: "=", Fail: true},
--- a/cmd/cloudflared/tunnel/teamnet_subcommands.go
+++ b/cmd/cloudflared/tunnel/teamnet_subcommands.go
@ -21,6 +21,8 @@ var (
 		Aliases: []string{"vn"},
 		Usage:   "The ID or name of the virtual network to which the route is associated to.",
 	}
 	errAddRoute = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
 )
 func buildRouteIPSubcommand() *cli.Command {
@ -30,7 +32,7 @@ func buildRouteIPSubcommand() *cli.Command {
 		UsageText: "cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]",
 		Description: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in
 your Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP
-client. You can then configure L7/L4 filtering on https://dash.teams.cloudflare.com to
+client. You can then configure L7/L4 filtering on https://one.dash.cloudflare.com to
 determine who can reach certain routes.
 By default IP routes all exist within a single virtual network. If you use the same IP
 space(s) in different physical private networks, all meant to be reachable via IP routes,
@ -68,11 +70,9 @@ which virtual network's routing table you want to add the route to with:
 				Name:      "delete",
 				Action:    cliutil.ConfiguredAction(deleteRouteCommand),
 				Usage:     "Delete a row from your organization's private routing table",
-				UsageText: "cloudflared tunnel [--config FILEPATH] route ip delete [flags] [CIDR]",
+				UsageText: "cloudflared tunnel [--config FILEPATH] route ip delete [flags] [Route ID or CIDR]",
-				Description: `Deletes the row for a given CIDR from your routing table. That portion of your network
+				Description: `Deletes the row for the given route ID from your routing table. That portion of your network
-will no longer be reachable by the WARP clients. Note that if you use virtual
+will no longer be reachable.`,
 networks, then you have to tell which virtual network whose routing table you
 have a row deleted from.`,
 				Flags: []cli.Flag{vnetFlag},
 			},
 			{
@ -187,33 +187,36 @@ func deleteRouteCommand(c *cli.Context) error {
 	}
 	if c.NArg() != 1 {
-		return errors.New("You must supply exactly one argument, the network whose route you want to delete (in CIDR form e.g. 1.2.3.4/32)")
+		return errAddRoute
 	}
-	_, network, err := net.ParseCIDR(c.Args().First())
+	var routeId uuid.UUID
 	routeId, err = uuid.Parse(c.Args().First())
 	if err != nil {
-		return errors.Wrap(err, "Invalid network CIDR")
+		_, network, err := net.ParseCIDR(c.Args().First())
-	}
+		if err != nil || network == nil {
-	if network == nil {
+			return errAddRoute
-		return errors.New("Invalid network CIDR")
+		}
 	}
-	params := cfapi.DeleteRouteParams{
+		var vnetId *uuid.UUID
-		Network: *network,
+		if c.IsSet(vnetFlag.Name) {
-	}
+			id, err := getVnetId(sc, c.String(vnetFlag.Name))
 			if err != nil {
 				return err
 			}
 			vnetId = &id
 		}
-	if c.IsSet(vnetFlag.Name) {
+		routeId, err = sc.getRouteId(*network, vnetId)
 		vnetId, err := getVnetId(sc, c.String(vnetFlag.Name))
 		if err != nil {
 			return err
 		}
 		params.VNetID = &vnetId
 	}
-	if err := sc.deleteRoute(params); err != nil {
+	if err := sc.deleteRoute(routeId); err != nil {
 		return errors.Wrap(err, "API error")
 	}
-	fmt.Printf("Successfully deleted route for %s\n", network)
+	fmt.Printf("Successfully deleted route with ID %s\n", routeId)
 	return nil
 }
@ -269,7 +272,7 @@ func formatAndPrintRouteList(routes []*cfapi.DetailedRoute) {
 	defer writer.Flush()
 	// Print column headers with tabbed columns
-	_, _ = fmt.Fprintln(writer, "NETWORK\tVIRTUAL NET ID\tCOMMENT\tTUNNEL ID\tTUNNEL NAME\tCREATED\tDELETED\t")
+	_, _ = fmt.Fprintln(writer, "ID\tNETWORK\tVIRTUAL NET ID\tCOMMENT\tTUNNEL ID\tTUNNEL NAME\tCREATED\tDELETED\t")
 	// Loop through routes, create formatted string for each, and print using tabwriter
 	for _, route := range routes {
--- a/cmd/cloudflared/tunnel/vnets_subcommands.go
+++ b/cmd/cloudflared/tunnel/vnets_subcommands.go
@ -33,6 +33,12 @@ var (
 		Aliases: []string{"c"},
 		Usage:   "A new comment describing the purpose of the virtual network.",
 	}
 	vnetForceDeleteFlag = &cli.BoolFlag{
 		Name:    "force",
 		Aliases: []string{"f"},
 		Usage: "Force the deletion of the virtual network even if it is being relied upon by other resources. Those" +
 			"resources will either be deleted (e.g. IP Routes) or moved to the current default virutal network.",
 	}
 )
 func buildVirtualNetworkSubcommand(hidden bool) *cli.Command {
@ -82,6 +88,7 @@ be the current default.`,
 				UsageText: "cloudflared tunnel [--config FILEPATH] network delete VIRTUAL_NETWORK",
 				Description: `Deletes the virtual network (given its ID or name). This is only possible if that virtual network is unused. 
 A virtual network may be used by IP routes or by WARP devices.`,
 				Flags:  []cli.Flag{vnetForceDeleteFlag},
 				Hidden: hidden,
 			},
 			{
@ -188,7 +195,7 @@ func deleteVirtualNetworkCommand(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	if c.NArg() != 1 {
+	if c.NArg() < 1 {
 		return errors.New("You must supply exactly one argument, either the ID or name of the virtual network to delete")
 	}
@ -198,7 +205,12 @@ func deleteVirtualNetworkCommand(c *cli.Context) error {
 		return err
 	}
-	if err := sc.deleteVirtualNetwork(vnetId); err != nil {
+	forceDelete := false
 	if c.IsSet(vnetForceDeleteFlag.Name) {
 		forceDelete = c.Bool(vnetForceDeleteFlag.Name)
 	}
 	if err := sc.deleteVirtualNetwork(vnetId, forceDelete); err != nil {
 		return errors.Wrap(err, "API error")
 	}
 	fmt.Printf("Successfully deleted virtual network '%s'\n", input)
--- a/cmd/cloudflared/ui/launch_ui.go
+++ b/cmd/cloudflared/ui/launch_ui.go
@ -1,223 +0,0 @@
 package ui
 import (
 	"context"
 	"fmt"
 	"strings"
 	"github.com/gdamore/tcell"
 	"github.com/rivo/tview"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/ingress"
 )
 type connState struct {
 	location string
 }
 type uiModel struct {
 	version       string
 	edgeURL       string
 	metricsURL    string
 	localServices []string
 	connections   []connState
 }
 type palette struct {
 	url          string
 	connected    string
 	defaultText  string
 	disconnected string
 	reconnecting string
 	unregistered string
 }
 func NewUIModel(version, hostname, metricsURL string, ing *ingress.Ingress, haConnections int) *uiModel {
 	localServices := make([]string, len(ing.Rules))
 	for i, rule := range ing.Rules {
 		localServices[i] = rule.Service.String()
 	}
 	return &uiModel{
 		version:       version,
 		edgeURL:       hostname,
 		metricsURL:    metricsURL,
 		localServices: localServices,
 		connections:   make([]connState, haConnections),
 	}
 }
 func (data *uiModel) Launch(
 	ctx context.Context,
 	log, transportLog *zerolog.Logger,
 ) connection.EventSink {
 	// Configure the logger to stream logs into the textview
 	// Add TextView as a group to write output to
 	logTextView := NewDynamicColorTextView()
 	// TODO: Format log for UI
 	//log.Add(logTextView, logger.NewUIFormatter(time.RFC3339), logLevels...)
 	//transportLog.Add(logTextView, logger.NewUIFormatter(time.RFC3339), logLevels...)
 	// Construct the UI
 	palette := palette{
 		url:          "lightblue",
 		connected:    "lime",
 		defaultText:  "white",
 		disconnected: "red",
 		reconnecting: "orange",
 		unregistered: "orange",
 	}
 	app := tview.NewApplication()
 	grid := tview.NewGrid().SetGap(1, 0)
 	frame := tview.NewFrame(grid)
 	header := fmt.Sprintf("cloudflared [::b]%s", data.version)
 	frame.AddText(header, true, tview.AlignLeft, tcell.ColorWhite)
 	// Create table to store connection info and status
 	connTable := tview.NewTable()
 	// SetColumns takes a value for each column, representing the size of the column
 	// Numbers <= 0 represent proportional widths and positive numbers represent absolute widths
 	grid.SetColumns(20, 0)
 	// SetRows takes a value for each row, representing the size of the row
 	grid.SetRows(1, 1, len(data.connections), 1, 0)
 	// AddItem takes a primitive tview type, row, column, rowSpan, columnSpan, minGridHeight, minGridWidth, and focus
 	grid.AddItem(tview.NewTextView().SetText("Tunnel:"), 0, 0, 1, 1, 0, 0, false)
 	grid.AddItem(tview.NewTextView().SetText("Status:"), 1, 0, 1, 1, 0, 0, false)
 	grid.AddItem(tview.NewTextView().SetText("Connections:"), 2, 0, 1, 1, 0, 0, false)
 	grid.AddItem(tview.NewTextView().SetText("Metrics:"), 3, 0, 1, 1, 0, 0, false)
 	tunnelHostText := tview.NewTextView().SetText(data.edgeURL)
 	grid.AddItem(tunnelHostText, 0, 1, 1, 1, 0, 0, false)
 	status := fmt.Sprintf("[%s]\u2022[%s] Proxying to [%s::b]%s", palette.connected, palette.defaultText, palette.url, strings.Join(data.localServices, ", "))
 	grid.AddItem(NewDynamicColorTextView().SetText(status), 1, 1, 1, 1, 0, 0, false)
 	grid.AddItem(connTable, 2, 1, 1, 1, 0, 0, false)
 	grid.AddItem(NewDynamicColorTextView().SetText(fmt.Sprintf("Metrics at [%s::b]http://%s/metrics", palette.url, data.metricsURL)), 3, 1, 1, 1, 0, 0, false)
 	// Add TextView to stream logs
 	// Logs are displayed in a new grid so a border can be set around them
 	logGrid := tview.NewGrid().SetBorders(true).AddItem(logTextView.SetChangedFunc(handleNewText(app, logTextView)), 0, 0, 5, 2, 0, 0, false)
 	// LogFrame holds the Logs header as well as the grid with the textView for streamed logs
 	logFrame := tview.NewFrame(logGrid).AddText("[::b]Logs:[::-]", true, tview.AlignLeft, tcell.ColorWhite).SetBorders(0, 0, 0, 0, 0, 0)
 	// Footer for log frame
 	logFrame.AddText("[::d]Use Ctrl+C to exit[::-]", false, tview.AlignRight, tcell.ColorWhite)
 	grid.AddItem(logFrame, 4, 0, 5, 2, 0, 0, false)
 	go func() {
 		<-ctx.Done()
 		app.Stop()
 		return
 	}()
 	go func() {
 		if err := app.SetRoot(frame, true).Run(); err != nil {
 			log.Error().Msgf("Error launching UI: %s", err)
 		}
 	}()
 	return connection.EventSinkFunc(func(event connection.Event) {
 		switch event.EventType {
 		case connection.Connected:
 			data.setConnTableCell(event, connTable, palette)
 		case connection.Disconnected, connection.Reconnecting, connection.Unregistering:
 			data.changeConnStatus(event, connTable, log, palette)
 		case connection.SetURL:
 			tunnelHostText.SetText(event.URL)
 			data.edgeURL = event.URL
 		case connection.RegisteringTunnel:
 			if data.edgeURL == "" {
 				tunnelHostText.SetText(fmt.Sprintf("Registering tunnel connection %d...", event.Index))
 			}
 		}
 		app.Draw()
 	})
 }
 func NewDynamicColorTextView() *tview.TextView {
 	return tview.NewTextView().SetDynamicColors(true)
 }
 // Re-draws application when new logs are streamed to UI
 func handleNewText(app *tview.Application, logTextView *tview.TextView) func() {
 	return func() {
 		app.Draw()
 		// SetFocus to enable scrolling in textview
 		app.SetFocus(logTextView)
 	}
 }
 func (data *uiModel) changeConnStatus(event connection.Event, table *tview.Table, log *zerolog.Logger, palette palette) {
 	index := int(event.Index)
 	// Get connection location and state
 	connState := data.getConnState(index)
 	// Check if connection is already displayed in UI
 	if connState == nil {
 		log.Info().Msg("Connection is not in the UI table")
 		return
 	}
 	locationState := event.Location
 	if event.EventType == connection.Reconnecting {
 		locationState = "Reconnecting..."
 	}
 	connectionNum := index + 1
 	// Get table cell
 	cell := table.GetCell(index, 0)
 	// Change dot color in front of text as well as location state
 	text := newCellText(palette, connectionNum, locationState, event.EventType)
 	cell.SetText(text)
 }
 // Return connection location and row in UI table
 func (data *uiModel) getConnState(connID int) *connState {
 	if connID < len(data.connections) {
 		return &data.connections[connID]
 	}
 	return nil
 }
 func (data *uiModel) setConnTableCell(event connection.Event, table *tview.Table, palette palette) {
 	index := int(event.Index)
 	connectionNum := index + 1
 	// Update slice to keep track of connection location and state in UI table
 	data.connections[index].location = event.Location
 	// Update text in table cell to show disconnected state
 	text := newCellText(palette, connectionNum, event.Location, event.EventType)
 	cell := tview.NewTableCell(text)
 	table.SetCell(index, 0, cell)
 }
 func newCellText(palette palette, connectionNum int, location string, connectedStatus connection.Status) string {
 	// HA connection indicator formatted as: "• #<CONNECTION_INDEX>: <COLO>",
 	//  where the left middle dot's color depends on the status of the connection
 	const connFmtString = "[%s]\u2022[%s] #%d: %s"
 	var dotColor string
 	switch connectedStatus {
 	case connection.Connected:
 		dotColor = palette.connected
 	case connection.Disconnected:
 		dotColor = palette.disconnected
 	case connection.Reconnecting:
 		dotColor = palette.reconnecting
 	case connection.Unregistering:
 		dotColor = palette.unregistered
 	}
 	return fmt.Sprintf(connFmtString, dotColor, palette.defaultText, connectionNum, location)
 }
--- a/cmd/cloudflared/updater/update.go
+++ b/cmd/cloudflared/updater/update.go
@ -6,20 +6,23 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"time"
 	"github.com/facebookgo/grace/gracenet"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
-	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/term"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 )
 const (
 	DefaultCheckUpdateFreq        = time.Hour * 24
-	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/"
+	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/"
 	noUpdateOnWindowsMessage      = "cloudflared will not automatically update on Windows systems."
 	noUpdateManagedPackageMessage = "cloudflared will not automatically update if installed by a package manager."
 	isManagedInstallFile          = ".installedFromPackageManager"
@ -30,12 +33,13 @@ const (
 )
 var (
-	version                string
+	buildInfo              *cliutil.BuildInfo
 	BuiltForPackageManager = ""
 )
 // BinaryUpdated implements ExitCoder interface, the app will exit with status code 11
 // https://pkg.go.dev/github.com/urfave/cli/v2?tab=doc#ExitCoder
 // nolint: errname
 type statusSuccess struct {
 	newVersion string
 }
@ -48,16 +52,16 @@ func (u *statusSuccess) ExitCode() int {
 	return 11
 }
-// UpdateErr implements ExitCoder interface, the app will exit with status code 10
+// statusError implements ExitCoder interface, the app will exit with status code 10
-type statusErr struct {
+type statusError struct {
 	err error
 }
-func (e *statusErr) Error() string {
+func (e *statusError) Error() string {
 	return fmt.Sprintf("failed to update cloudflared: %v", e.err)
 }
-func (e *statusErr) ExitCode() int {
+func (e *statusError) ExitCode() int {
 	return 10
 }
@ -77,11 +81,11 @@ type UpdateOutcome struct {
 }
 func (uo *UpdateOutcome) noUpdate() bool {
-	return uo.Error == nil && uo.Updated == false
+	return uo.Error == nil && !uo.Updated
 }
-func Init(v string) {
+func Init(info *cliutil.BuildInfo) {
-	version = v
+	buildInfo = info
 }
 func CheckForUpdate(options updateOptions) (CheckResult, error) {
@ -95,12 +99,26 @@ func CheckForUpdate(options updateOptions) (CheckResult, error) {
 		url = StagingUpdateURL
 	}
-	s := NewWorkersService(version, url, cfdPath, Options{IsBeta: options.isBeta,
+	if runtime.GOOS == "windows" {
 		cfdPath = encodeWindowsPath(cfdPath)
 	}
 	s := NewWorkersService(buildInfo.CloudflaredVersion, url, cfdPath, Options{IsBeta: options.isBeta,
 		IsForced: options.isForced, RequestedVersion: options.intendedVersion})
 	return s.Check()
 }
 func encodeWindowsPath(path string) string {
 	// We do this because Windows allows spaces in directories such as
 	// Program Files but does not allow these directories to be spaced in batch files.
 	targetPath := strings.Replace(path, "Program Files (x86)", "PROGRA~2", -1)
 	// This is to do the same in 32 bit systems. We do this second so that the first
 	// replace is for x86 dirs.
 	targetPath = strings.Replace(targetPath, "Program Files", "PROGRA~1", -1)
 	return targetPath
 }
 func applyUpdate(options updateOptions, update CheckResult) UpdateOutcome {
 	if update.Version() == "" || options.updateDisabled {
 		return UpdateOutcome{UserMessage: update.UserMessage()}
@ -137,7 +155,7 @@ func Update(c *cli.Context) error {
 		log.Info().Msg("cloudflared is set to update from staging")
 	}
-	isForced := c.Bool("force")
+	isForced := c.Bool(cfdflags.Force)
 	if isForced {
 		log.Info().Msg("cloudflared is set to upgrade to the latest publish version regardless of the current version")
 	}
@ -150,7 +168,7 @@ func Update(c *cli.Context) error {
 		intendedVersion: c.String("version"),
 	})
 	if updateOutcome.Error != nil {
-		return &statusErr{updateOutcome.Error}
+		return &statusError{updateOutcome.Error}
 	}
 	if updateOutcome.noUpdate() {
@ -182,10 +200,9 @@ func loggedUpdate(log *zerolog.Logger, options updateOptions) UpdateOutcome {
 // AutoUpdater periodically checks for new version of cloudflared.
 type AutoUpdater struct {
-	configurable     *configurable
+	configurable *configurable
-	listeners        *gracenet.Net
+	listeners    *gracenet.Net
-	updateConfigChan chan *configurable
+	log          *zerolog.Logger
 	log              *zerolog.Logger
 }
 // AutoUpdaterConfigurable is the attributes of AutoUpdater that can be reconfigured during runtime
@ -196,10 +213,9 @@ type configurable struct {
 func NewAutoUpdater(updateDisabled bool, freq time.Duration, listeners *gracenet.Net, log *zerolog.Logger) *AutoUpdater {
 	return &AutoUpdater{
-		configurable:     createUpdateConfig(updateDisabled, freq, log),
+		configurable: createUpdateConfig(updateDisabled, freq, log),
-		listeners:        listeners,
+		listeners:    listeners,
-		updateConfigChan: make(chan *configurable),
+		log:          log,
 		log:              log,
 	}
 }
@ -218,19 +234,27 @@ func createUpdateConfig(updateDisabled bool, freq time.Duration, log *zerolog.Lo
 	}
 }
 // Run will perodically check for cloudflared updates, download them, and then restart the current cloudflared process
 // to use the new version. It delays the first update check by the configured frequency as to not attempt a
 // download immediately and restart after starting (in the case that there is an upgrade available).
 func (a *AutoUpdater) Run(ctx context.Context) error {
 	ticker := time.NewTicker(a.configurable.freq)
 	for {
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case <-ticker.C:
 		}
 		updateOutcome := loggedUpdate(a.log, updateOptions{updateDisabled: !a.configurable.enabled})
 		if updateOutcome.Updated {
-			Init(updateOutcome.Version)
+			buildInfo.CloudflaredVersion = updateOutcome.Version
 			if IsSysV() {
 				// SysV doesn't have a mechanism to keep service alive, we have to restart the process
 				a.log.Info().Msg("Restarting service managed by SysV...")
 				pid, err := a.listeners.StartProcess()
 				if err != nil {
 					a.log.Err(err).Msg("Unable to restart server automatically")
-					return &statusErr{err: err}
+					return &statusError{err: err}
 				}
 				// stop old process after autoupdate. Otherwise we create a new process
 				// after each update
@ -240,25 +264,9 @@ func (a *AutoUpdater) Run(ctx context.Context) error {
 		} else if updateOutcome.UserMessage != "" {
 			a.log.Warn().Msg(updateOutcome.UserMessage)
 		}
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case newConfigurable := <-a.updateConfigChan:
 			ticker.Stop()
 			a.configurable = newConfigurable
 			ticker = time.NewTicker(a.configurable.freq)
 			// Check if there is new version of cloudflared after receiving new AutoUpdaterConfigurable
 		case <-ticker.C:
 		}
 	}
 }
 // Update is the method to pass new AutoUpdaterConfigurable to a running AutoUpdater. It is safe to be called concurrently
 func (a *AutoUpdater) Update(updateDisabled bool, newFreq time.Duration) {
 	a.updateConfigChan <- createUpdateConfig(updateDisabled, newFreq, a.log)
 }
 func isAutoupdateEnabled(log *zerolog.Logger, updateDisabled bool, updateFreq time.Duration) bool {
 	if !supportAutoUpdate(log) {
 		return false
@ -290,7 +298,7 @@ func wasInstalledFromPackageManager() bool {
 }
 func isRunningFromTerminal() bool {
-	return terminal.IsTerminal(int(os.Stdout.Fd()))
+	return term.IsTerminal(int(os.Stdout.Fd()))
 }
 func IsSysV() bool {
--- a/cmd/cloudflared/updater/update_test.go
+++ b/cmd/cloudflared/updater/update_test.go
@ -9,8 +9,14 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 func init() {
 	Init(cliutil.GetBuildInfo("TEST", "TEST"))
 }
 func TestDisabledAutoUpdater(t *testing.T) {
 	listeners := &gracenet.Net{}
 	log := zerolog.Nop()
--- a/cmd/cloudflared/updater/workers_service.go
+++ b/cmd/cloudflared/updater/workers_service.go
@ -3,6 +3,7 @@ package updater
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"runtime"
 )
@ -56,6 +57,9 @@ func (s *WorkersService) Check() (CheckResult, error) {
 	}
 	req, err := http.NewRequest(http.MethodGet, s.url, nil)
 	if err != nil {
 		return nil, err
 	}
 	q := req.URL.Query()
 	q.Add(OSKeyName, runtime.GOOS)
 	q.Add(ArchitectureKeyName, runtime.GOARCH)
@ -76,6 +80,10 @@ func (s *WorkersService) Check() (CheckResult, error) {
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != 200 {
 		return nil, fmt.Errorf("unable to check for update: %d", resp.StatusCode)
 	}
 	var v VersionResponse
 	if err := json.NewDecoder(resp.Body).Decode(&v); err != nil {
 		return nil, err
--- a/cmd/cloudflared/updater/workers_service_test.go
+++ b/cmd/cloudflared/updater/workers_service_test.go
@ -1,5 +1,4 @@
 //go:build !windows
 // +build !windows
 package updater
@ -11,7 +10,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"net/http/httptest"
@ -224,7 +222,7 @@ func TestUpdateService(t *testing.T) {
 	require.Equal(t, v.Version(), mostRecentVersion)
 	require.NoError(t, v.Apply())
-	dat, err := ioutil.ReadFile(testFilePath)
+	dat, err := os.ReadFile(testFilePath)
 	require.NoError(t, err)
 	require.Equal(t, string(dat), mostRecentVersion)
@ -243,7 +241,7 @@ func TestBetaUpdateService(t *testing.T) {
 	require.Equal(t, v.Version(), mostRecentBetaVersion)
 	require.NoError(t, v.Apply())
-	dat, err := ioutil.ReadFile(testFilePath)
+	dat, err := os.ReadFile(testFilePath)
 	require.NoError(t, err)
 	require.Equal(t, string(dat), mostRecentBetaVersion)
@ -289,7 +287,7 @@ func TestForcedUpdateService(t *testing.T) {
 	require.Equal(t, v.Version(), mostRecentVersion)
 	require.NoError(t, v.Apply())
-	dat, err := ioutil.ReadFile(testFilePath)
+	dat, err := os.ReadFile(testFilePath)
 	require.NoError(t, err)
 	require.Equal(t, string(dat), mostRecentVersion)
@ -309,7 +307,7 @@ func TestUpdateSpecificVersionService(t *testing.T) {
 	require.Equal(t, reqVersion, v.Version())
 	require.NoError(t, v.Apply())
-	dat, err := ioutil.ReadFile(testFilePath)
+	dat, err := os.ReadFile(testFilePath)
 	require.NoError(t, err)
 	require.Equal(t, reqVersion, string(dat))
@ -328,7 +326,7 @@ func TestCompressedUpdateService(t *testing.T) {
 	require.Equal(t, "2020.09.02", v.Version())
 	require.NoError(t, v.Apply())
-	dat, err := ioutil.ReadFile(testFilePath)
+	dat, err := os.ReadFile(testFilePath)
 	require.NoError(t, err)
 	require.Equal(t, "2020.09.02", string(dat))
--- a/cmd/cloudflared/updater/workers_update.go
+++ b/cmd/cloudflared/updater/workers_update.go
@ -3,7 +3,6 @@ package updater
 import (
 	"archive/tar"
 	"compress/gzip"
 	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io"
@ -11,11 +10,15 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"text/template"
 	"time"
 	"github.com/getsentry/sentry-go"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 const (
@ -25,14 +28,13 @@ const (
 	// rename cloudflared.exe.new to cloudflared.exe
 	// delete cloudflared.exe.old
 	// start the service
-	// delete the batch file
+	// exit with code 0 if we've reached this point indicating success.
-	windowsUpdateCommandTemplate = `@echo off
+	windowsUpdateCommandTemplate = `sc stop cloudflared >nul 2>&1
-sc stop cloudflared >nul 2>&1
+del "{{.OldPath}}"
 rename "{{.TargetPath}}" {{.OldName}}
 rename "{{.NewPath}}" {{.BinaryName}}
 del "{{.OldPath}}"
 sc start cloudflared >nul 2>&1
-del {{.BatchName}}`
+exit /b 0`
 	batchFileName = "cfd_update.bat"
 )
@ -87,8 +89,25 @@ func (v *WorkersVersion) Apply() error {
 		return err
 	}
-	// check that the file is what is expected
+	downloadSum, err := cliutil.FileChecksum(newFilePath)
-	if err := isValidChecksum(v.checksum, newFilePath); err != nil {
+	if err != nil {
 		return err
 	}
 	// Check that the file downloaded matches what is expected.
 	if v.checksum != downloadSum {
 		return errors.New("checksum validation failed")
 	}
 	// Check if the currently running version has the same checksum
 	if downloadSum == buildInfo.Checksum {
 		// Currently running binary matches the downloaded binary so we have no reason to update. This is
 		// typically unexpected, as such we emit a sentry event.
 		localHub := sentry.CurrentHub().Clone()
 		err := errors.New("checksum validation matches currently running process")
 		localHub.CaptureException(err)
 		// Make sure to cleanup the new downloaded file since we aren't upgrading versions.
 		os.Remove(newFilePath)
 		return err
 	}
@ -115,7 +134,7 @@ func (v *WorkersVersion) Apply() error {
 	if err := os.Rename(newFilePath, v.targetPath); err != nil {
 		//attempt rollback
-		os.Rename(oldFilePath, v.targetPath)
+		_ = os.Rename(oldFilePath, v.targetPath)
 		return err
 	}
 	os.Remove(oldFilePath)
@ -162,7 +181,7 @@ func download(url, filepath string, isCompressed bool) error {
 		tr := tar.NewReader(gr)
 		// advance the reader pass the header, which will be the single binary file
-		tr.Next()
+		_, _ = tr.Next()
 		r = tr
 	}
@ -179,7 +198,7 @@ func download(url, filepath string, isCompressed bool) error {
 // isCompressedFile is a really simple file extension check to see if this is a macos tar and gzipped
 func isCompressedFile(urlstring string) bool {
-	if strings.HasSuffix(urlstring, ".tgz") {
+	if path.Ext(urlstring) == ".tgz" {
 		return true
 	}
@ -187,35 +206,15 @@ func isCompressedFile(urlstring string) bool {
 	if err != nil {
 		return false
 	}
-	return strings.HasSuffix(u.Path, ".tgz")
+	return path.Ext(u.Path) == ".tgz"
 }
 // checks if the checksum in the json response matches the checksum of the file download
 func isValidChecksum(checksum, filePath string) error {
 	f, err := os.Open(filePath)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
 		return err
 	}
 	hash := fmt.Sprintf("%x", h.Sum(nil))
 	if checksum != hash {
 		return errors.New("checksum validation failed")
 	}
 	return nil
 }
 // writeBatchFile writes a batch file out to disk
 // see the dicussion on why it has to be done this way
 func writeBatchFile(targetPath string, newPath string, oldPath string) error {
-	os.Remove(batchFileName) //remove any failed updates before download
+	batchFilePath := filepath.Join(filepath.Dir(targetPath), batchFileName)
-	f, err := os.Create(batchFileName)
+	os.Remove(batchFilePath) //remove any failed updates before download
 	f, err := os.Create(batchFilePath)
 	if err != nil {
 		return err
 	}
@ -241,6 +240,15 @@ func writeBatchFile(targetPath string, newPath string, oldPath string) error {
 // run each OS command for windows
 func runWindowsBatch(batchFile string) error {
-	cmd := exec.Command("cmd", "/c", batchFile)
+	defer os.Remove(batchFile)
-	return cmd.Start()
+	cmd := exec.Command("cmd", "/C", batchFile)
 	_, err := cmd.Output()
 	// Remove the batch file we created. Don't let this interfere with the error
 	// we report.
 	if err != nil {
 		if exitError, ok := err.(*exec.ExitError); ok {
 			return fmt.Errorf("Error during update : %s;", string(exitError.Stderr))
 		}
 	}
 	return err
 }
--- a/cmd/cloudflared/windows_service.go
+++ b/cmd/cloudflared/windows_service.go
@ -1,5 +1,4 @@
 //go:build windows
 // +build windows
 package main
@ -27,7 +26,7 @@ import (
 const (
 	windowsServiceName        = "Cloudflared"
 	windowsServiceDescription = "Cloudflared agent"
-	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/windows/"
+	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/windows/"
 	recoverActionDelay      = time.Second * 20
 	failureCountResetPeriod = time.Hour * 24
--- a/component-tests/README.md
+++ b/component-tests/README.md
@ -1,16 +1,15 @@
 # Requirements
-1. Python 3.7 or later with packages in the given `requirements.txt`
+1. Python 3.10 or later with packages in the given `requirements.txt`
-   - E.g. with conda:
+   - E.g. with venv:
-   - `conda create -n component-tests python=3.7`  
+   - `python3 -m venv ./.venv`  
-   - `conda activate component-tests`
+   - `source ./.venv/bin/activate`
-   - `pip3 install -r requirements.txt`
+   - `python3 -m pip install -r requirements.txt`
 2. Create a config yaml file, for example:
 ```
 cloudflared_binary: "cloudflared"
 tunnel: "3d539f97-cd3a-4d8e-c33b-65e9099c7a8d"
 credentials_file: "/Users/tunnel/.cloudflared/3d539f97-cd3a-4d8e-c33b-65e9099c7a8d.json"
 classic_hostname: "classic-tunnel-component-tests.example.com"
 origincert: "/Users/tunnel/.cloudflared/cert.pem"
 ingress:
 - hostname: named-tunnel-component-tests.example.com
--- a/component-tests/cli.py
+++ b/component-tests/cli.py
@ -2,7 +2,9 @@ import json
 import subprocess
 from time import sleep
 from constants import MANAGEMENT_HOST_NAME
 from setup import get_config_from_file
 from util import get_tunnel_connector_id
 SINGLE_CASE_TIMEOUT = 600
@ -28,6 +30,36 @@ class CloudflaredCli:
        listed = self._run_command(cmd_args, "list")
        return json.loads(listed.stdout)
    def get_management_token(self, config, config_path):
        basecmd = [config.cloudflared_binary]
        if config_path is not None:
            basecmd += ["--config", str(config_path)]
        origincert = get_config_from_file()["origincert"]
        if origincert:
            basecmd += ["--origincert", origincert]
        cmd_args = ["tail", "token", config.get_tunnel_id()]
        cmd = basecmd + cmd_args
        result = run_subprocess(cmd, "token", self.logger, check=True, capture_output=True, timeout=15)
        return json.loads(result.stdout.decode("utf-8").strip())["token"]
    def get_management_url(self, path, config, config_path):
        access_jwt = self.get_management_token(config, config_path)
        connector_id = get_tunnel_connector_id()
        return f"https://{MANAGEMENT_HOST_NAME}/{path}?connector_id={connector_id}&access_token={access_jwt}"
    def get_management_wsurl(self, path, config, config_path):
        access_jwt = self.get_management_token(config, config_path)
        connector_id = get_tunnel_connector_id()
        return f"wss://{MANAGEMENT_HOST_NAME}/{path}?connector_id={connector_id}&access_token={access_jwt}"
    def get_connector_id(self, config): 
        op = self.get_tunnel_info(config.get_tunnel_id())
        connectors = []
        for conn in op["conns"]:
            connectors.append(conn["id"])
        return connectors
    def get_tunnel_info(self, tunnel_id):
        info = self._run_command(["info", "--output", "json", tunnel_id], "info")
        return json.loads(info.stdout)
--- a/component-tests/config.py
+++ b/component-tests/config.py
@ -30,6 +30,7 @@ class NamedTunnelBaseConfig(BaseConfig):
    tunnel: str = None
    credentials_file: str = None
    ingress: list = None
    hostname: str = None
    def __post_init__(self):
        if self.tunnel is None:
@ -41,8 +42,10 @@ class NamedTunnelBaseConfig(BaseConfig):
    def merge_config(self, additional):
        config = super(NamedTunnelBaseConfig, self).merge_config(additional)
-        config['tunnel'] = self.tunnel
+        if 'tunnel' not in config:
-        config['credentials-file'] = self.credentials_file
+            config['tunnel'] = self.tunnel
        if 'credentials-file' not in config:
            config['credentials-file'] = self.credentials_file
        # In some cases we want to override default ingress, such as in config tests
        if 'ingress' not in config:
            config['ingress'] = self.ingress
@ -61,7 +64,7 @@ class NamedTunnelConfig(NamedTunnelBaseConfig):
                           self.merge_config(additional_config))
    def get_url(self):
-        return "https://" + self.ingress[0]['hostname']
+        return "https://" + self.hostname
    def base_config(self):
        config = self.full_config.copy()
@ -84,28 +87,9 @@ class NamedTunnelConfig(NamedTunnelBaseConfig):
    def get_credentials_json(self):
        with open(self.credentials_file) as json_file:
            return json.load(json_file)
-
+        
@dataclass(frozen=True)
-class ClassicTunnelBaseConfig(BaseConfig):
+class QuickTunnelConfig(BaseConfig):
    hostname: str = None
    origincert: str = None
    def __post_init__(self):
        if self.hostname is None:
            raise TypeError("Field tunnel is not set")
        if self.origincert is None:
            raise TypeError("Field credentials_file is not set")
    def merge_config(self, additional):
        config = super(ClassicTunnelBaseConfig, self).merge_config(additional)
        config['hostname'] = self.hostname
        config['origincert'] = self.origincert
        return config
@dataclass(frozen=True)
 class ClassicTunnelConfig(ClassicTunnelBaseConfig):
    full_config: dict = None
    additional_config: InitVar[dict] = {}
@ -115,10 +99,6 @@ class ClassicTunnelConfig(ClassicTunnelBaseConfig):
        object.__setattr__(self, 'full_config',
                           self.merge_config(additional_config))
    def get_url(self):
        return "https://" + self.hostname
@dataclass(frozen=True)
 class ProxyDnsConfig(BaseConfig):
    full_config = {
--- a/component-tests/config.yaml
+++ b/component-tests/config.yaml
@ -0,0 +1,8 @@
 cloudflared_binary: "cloudflared"
 tunnel: "ae21a96c-24d1-4ce8-a6ba-962cba5976d3"
 credentials_file: "/Users/sudarsan/.cloudflared/ae21a96c-24d1-4ce8-a6ba-962cba5976d3.json"
 origincert: "/Users/sudarsan/.cloudflared/cert.pem"
 ingress:
 - hostname: named-tunnel-component-tests.example.com
  service: hello_world
 - service: http_status:404
--- a/component-tests/conftest.py
+++ b/component-tests/conftest.py
@ -5,14 +5,14 @@ from time import sleep
 import pytest
 import yaml
-from config import NamedTunnelConfig, ClassicTunnelConfig, ProxyDnsConfig
+from config import NamedTunnelConfig, ProxyDnsConfig, QuickTunnelConfig
 from constants import BACKOFF_SECS, PROXY_DNS_PORT
 from util import LOGGER
 class CfdModes(Enum):
    NAMED = auto()
-    CLASSIC = auto()
+    QUICK = auto()
    PROXY_DNS = auto()
@ -26,7 +26,7 @@ def component_tests_config():
        config = yaml.safe_load(stream)
        LOGGER.info(f"component tests base config {config}")
-        def _component_tests_config(additional_config={}, cfd_mode=CfdModes.NAMED, run_proxy_dns=True):
+        def _component_tests_config(additional_config={}, cfd_mode=CfdModes.NAMED, run_proxy_dns=True, provide_ingress=True):
            if run_proxy_dns:
                # Regression test for TUN-4177, running with proxy-dns should not prevent tunnels from running.
                # So we run all tests with it.
@ -36,18 +36,25 @@ def component_tests_config():
                additional_config.pop("proxy-dns", None)
                additional_config.pop("proxy-dns-port", None)
            # Allows the ingress rules to be omitted from the provided config
            ingress = []
            if provide_ingress:
                ingress = config['ingress']
            # Provide the hostname to allow routing to the tunnel even if the ingress rule isn't defined in the config
            hostname = config['ingress'][0]['hostname']
            if cfd_mode is CfdModes.NAMED:
                return NamedTunnelConfig(additional_config=additional_config,
                                         cloudflared_binary=config['cloudflared_binary'],
                                         tunnel=config['tunnel'],
                                         credentials_file=config['credentials_file'],
-                                         ingress=config['ingress'])
+                                         ingress=ingress,
-            elif cfd_mode is CfdModes.CLASSIC:
+                                         hostname=hostname)
                return ClassicTunnelConfig(
                    additional_config=additional_config, cloudflared_binary=config['cloudflared_binary'],
                    hostname=config['classic_hostname'], origincert=config['origincert'])
            elif cfd_mode is CfdModes.PROXY_DNS:
                return ProxyDnsConfig(cloudflared_binary=config['cloudflared_binary'])
            elif cfd_mode is CfdModes.QUICK:
                return QuickTunnelConfig(additional_config=additional_config, cloudflared_binary=config['cloudflared_binary'])
            else:
                raise Exception(f"Unknown cloudflared mode {cfd_mode}")
--- a/component-tests/constants.py
+++ b/component-tests/constants.py
@ -1,9 +1,11 @@
 METRICS_PORT = 51000
 MAX_RETRIES = 5
 BACKOFF_SECS = 7
 MAX_LOG_LINES = 50
 PROXY_DNS_PORT = 9053
 MANAGEMENT_HOST_NAME = "management.argotunnel.com"
 def protocols():
-    return ["h2mux", "http2", "quic"]
+    return ["http2", "quic"]
--- a/component-tests/requirements.txt
+++ b/component-tests/requirements.txt
@ -1,6 +1,8 @@
-cloudflare==2.8.15
+cloudflare==2.14.3
 flaky==3.7.0
-pytest==6.2.2
+pytest==7.3.1
-pyyaml==5.4.1
+pytest-asyncio==0.21.0
-requests==2.25.1
+pyyaml==6.0.1
-retrying==1.3.3
+requests==2.28.2
 retrying==1.3.4
 websockets==11.0.1
--- a/component-tests/setup.py
+++ b/component-tests/setup.py
@ -74,19 +74,13 @@ def delete_tunnel(config):
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def create_dns(config, hostname, type, content):
-    cf = CloudFlare.CloudFlare(debug=True, token=get_env("DNS_API_TOKEN"))
+    cf = CloudFlare.CloudFlare(debug=False, token=get_env("DNS_API_TOKEN"))
    cf.zones.dns_records.post(
        config["zone_tag"],
        data={'name': hostname, 'type': type, 'content': content, 'proxied': True}
    )
 def create_classic_dns(config, random_uuid):
    classic_hostname = "classic-" + random_uuid + "." + config["zone_domain"]
    create_dns(config, classic_hostname, "AAAA", "fd10:aec2:5dae::")
    return classic_hostname
 def create_named_dns(config, random_uuid):
    hostname = "named-" + random_uuid + "." + config["zone_domain"]
    create_dns(config, hostname, "CNAME", config["tunnel"] + ".cfargotunnel.com")
@ -95,7 +89,7 @@ def create_named_dns(config, random_uuid):
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def delete_dns(config, hostname):
-    cf = CloudFlare.CloudFlare(debug=True, token=get_env("DNS_API_TOKEN"))
+    cf = CloudFlare.CloudFlare(debug=False, token=get_env("DNS_API_TOKEN"))
    zone_tag = config["zone_tag"]
    dns_records = cf.zones.dns_records.get(zone_tag, params={'name': hostname})
    if len(dns_records) > 0:
@ -119,7 +113,6 @@ def create():
    Creates the necessary resources for the components test to run.
     - Creates a named tunnel with a random name.
     - Creates a random CNAME DNS entry for that tunnel.
     - Creates a random AAAA DNS entry for a classic tunnel.
    Those created resources are added to the config (obtained from an environment variable).
    The resulting configuration is persisted for the tests to use.
@ -129,7 +122,6 @@ def create():
    random_uuid = str(uuid.uuid4())
    config["tunnel"] = create_tunnel(config, origincert_path, random_uuid)
    config["classic_hostname"] = create_classic_dns(config, random_uuid)
    config["ingress"] = [
        {
            "hostname": create_named_dns(config, random_uuid),
@ -150,7 +142,6 @@ def cleanup():
    """
    config = get_config_from_file()
    delete_tunnel(config)
    delete_dns(config, config["classic_hostname"])
    delete_dns(config, config["ingress"][0]["hostname"])
--- a/component-tests/test_config.py
+++ b/component-tests/test_config.py
@ -36,17 +36,17 @@ class TestConfig:
        _ = start_cloudflared(tmp_path, config, validate_args)
        self.match_rule(tmp_path, config,
-                        "http://example.com/index.html", 1)
+                        "http://example.com/index.html", 0)
        self.match_rule(tmp_path, config,
-                        "https://example.com/index.html", 1)
+                        "https://example.com/index.html", 0)
        self.match_rule(tmp_path, config,
-                        "https://api.example.com/login", 2)
+                        "https://api.example.com/login", 1)
        self.match_rule(tmp_path, config,
-                        "https://wss.example.com", 3)
+                        "https://wss.example.com", 2)
        self.match_rule(tmp_path, config,
-                        "https://ssh.example.com", 4)
+                        "https://ssh.example.com", 3)
        self.match_rule(tmp_path, config,
-                        "https://api.example.com", 5)
+                        "https://api.example.com", 4)
    # This is used to check that the command tunnel ingress url <url> matches rule number <rule_num>. Note that rule number uses 1-based indexing
--- a/component-tests/test_logging.py
+++ b/component-tests/test_logging.py
@ -2,6 +2,7 @@
 import json
 import os
 from constants import MAX_LOG_LINES
 from util import start_cloudflared, wait_tunnel_ready, send_requests
 # Rolling logger rotate log files after 1 MB
@ -11,14 +12,24 @@ expect_message = "Starting Hello"
 def assert_log_to_terminal(cloudflared):
-    stderr = cloudflared.stderr.read(1500)
+    for _ in range(0, MAX_LOG_LINES):
-    assert expect_message.encode() in stderr, f"{stderr} doesn't contain {expect_message}"
+        line = cloudflared.stderr.readline()
        if not line:
            break
        if expect_message.encode() in line:
            return
    raise Exception(f"terminal log doesn't contain {expect_message}")
 def assert_log_in_file(file):
    with open(file, "r") as f:
-        log = f.read(2000)
+        for _ in range(0, MAX_LOG_LINES):
-        assert expect_message in log, f"{log} doesn't contain {expect_message}"
+            line = f.readline()
            if not line:
                break
            if expect_message in line:
                return
    raise Exception(f"log file doesn't contain {expect_message}")
 def assert_json_log(file):
@ -63,7 +74,7 @@ def assert_log_to_dir(config, log_dir):
 class TestLogging:
    def test_logging_to_terminal(self, tmp_path, component_tests_config):
        config = component_tests_config()
-        with start_cloudflared(tmp_path, config, new_process=True) as cloudflared:
+        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True) as cloudflared:
            wait_tunnel_ready(tunnel_url=config.get_url())
            assert_log_to_terminal(cloudflared)
@ -74,7 +85,7 @@ class TestLogging:
            "logfile": str(log_file),
        }
        config = component_tests_config(extra_config)
-        with start_cloudflared(tmp_path, config, new_process=True, capture_output=False):
+        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True, capture_output=False):
            wait_tunnel_ready(tunnel_url=config.get_url(), cfd_logs=str(log_file))
            assert_log_in_file(log_file)
            assert_json_log(log_file)
@ -87,6 +98,6 @@ class TestLogging:
            "log-directory": str(log_dir),
        }
        config = component_tests_config(extra_config)
-        with start_cloudflared(tmp_path, config, new_process=True, capture_output=False):
+        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True, capture_output=False):
            wait_tunnel_ready(tunnel_url=config.get_url(), cfd_logs=str(log_dir))
            assert_log_to_dir(config, log_dir)
--- a/Show More
+++ b/Show More