3305 changed files with 226657 additions and 380959 deletions
--- a/.docker-images
+++ b/.docker-images
@ -1,12 +1,8 @@
 images:
  - name: cloudflared
-    dockerfile: Dockerfile.$ARCH
+    dockerfile: Dockerfile
    context: .
    version_file: versions
    registries:
    - name: docker.io/cloudflare
      user: env:DOCKER_USER
      password: env:DOCKER_PASSWORD
    architectures:
    - amd64
    - arm64
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1 @@
 .git
--- a/.github/ISSUE_TEMPLATE/---bug-report.md
+++ b/.github/ISSUE_TEMPLATE/---bug-report.md
@ -1,34 +0,0 @@
 ---
 name: "\U0001F41B Bug report"
 about: Create a report to help us improve cloudflared
 title: "\U0001F41B"
 labels: 'Priority: Normal, Type: Bug'
 ---
 **Describe the bug**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Configure '...'
 2. Run '....'
 3. See error
 If it's an issue with Cloudflare Tunnel:
 4. Tunnel ID : 
 5. cloudflared config: 
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Environment and versions**
 - OS: [e.g. MacOS]
 - Architecture: [e.g. AMD, ARM]
 - Version: [e.g. 2022.02.0]
 **Logs and errors**
 If applicable, add logs or errors to help explain your problem.
 **Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/---documentation.md
+++ b/.github/ISSUE_TEMPLATE/---documentation.md
@ -1,16 +0,0 @@
 ---
 name: "\U0001F4DD Documentation"
 about: Request new or updated documentation for cloudflared
 title: "\U0001F4DD"
 labels: 'Priority: Normal, Type: Documentation'
 ---
 **Available Documentation**
 A link to the documentation that is available today and the areas which could be improved. 
 **Suggested Documentation**
 A clear and concise description of the documentation, tutorial, or guide that should be added. 
 **Additional context**
 Add any other context or screenshots about the documentation request here.
--- a/.github/ISSUE_TEMPLATE/---feature-request.md
+++ b/.github/ISSUE_TEMPLATE/---feature-request.md
@ -1,16 +0,0 @@
 ---
 name: "\U0001F4A1 Feature request"
 about: Suggest a feature or enhancement for cloudflared
 title: "\U0001F4A1"
 labels: 'Priority: Normal, Type: Feature Request'
 ---
 **Describe the feature you'd like**
 A clear and concise description of the feature. What problem does it solve for you?
 **Describe alternatives you've considered**
 Are there any alternatives to solving this problem? If so, what was your experience with them?
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@ -4,15 +4,17 @@ jobs:
  check:
    strategy:
      matrix:
-        go-version: [1.22.x]
+        go-version: [1.17.x]
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    steps:
    - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v2
      with:
        go-version: ${{ matrix.go-version }}
    - name: Install go-sumtype
      run: go get github.com/sudarshan-reddy/go-sumtype
    - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v2
    - name: Test
      run: make test
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -1,25 +0,0 @@
 on:
  pull_request: {}
  workflow_dispatch: {}
  push: 
    branches:
      - main
      - master
  schedule:
    - cron: '0 0 * * *'
 name: Semgrep config
 jobs:
  semgrep:
    name: semgrep/ci
    runs-on: ubuntu-20.04
    env:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
      SEMGREP_URL: https://cloudflare.semgrep.dev
      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
    container:
      image: returntocorp/semgrep
    steps:
      - uses: actions/checkout@v3
      - run: semgrep ci
--- a/.gitignore
+++ b/.gitignore
@ -10,7 +10,6 @@ cscope.*
 /cloudflared.exe
 /cloudflared.msi
 /cloudflared-x86-64*
 /cloudflared.1
 /packaging
 .DS_Store
 *-session.log
--- a/.teamcity/build-macos.sh
+++ b/.teamcity/build-macos.sh
@ -0,0 +1,187 @@
 #!/bin/bash
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-amd64.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-amd64.pkg"
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # Add code signing private key to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
  if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
    # write private key to disk and then import it keychain
    echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
    out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1)
    exitcode=$?
    if [ -n "$out" ]; then
      if [ $exitcode -eq 0 ]; then
          echo "$out"
      else
          if [ "$out" != "${SEC_DUP_MSG}" ]; then
              echo "$out" >&2
              exit $exitcode
          fi
      fi
    fi
    rm ${CODE_SIGN_PRIV}
  fi
 fi
 # Add code signing certificate to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
  out1=$(security import ${CODE_SIGN_CERT} -A 2>&1)
  exitcode1=$?
  if [ -n "$out1" ]; then
    if [ $exitcode1 -eq 0 ]; then
        echo "$out1"
    else
        if [ "$out1" != "${SEC_DUP_MSG}" ]; then
            echo "$out1" >&2
            exit $exitcode1
        else 
            echo "already imported code signing certificate"
        fi
    fi
  fi
  rm ${CODE_SIGN_CERT}
 fi
 # Add package signing private key to the key chain
 if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
  if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
    # write private key to disk and then import it into the keychain
    echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
    out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1)
    exitcode2=$?
    if [ -n "$out2" ]; then
      if [ $exitcode2 -eq 0 ]; then
          echo "$out2"
      else
          if [ "$out2" != "${SEC_DUP_MSG}" ]; then
              echo "$out2" >&2
              exit $exitcode2
          fi
      fi
    fi
    rm ${INSTALLER_PRIV}
  fi
 fi
 # Add package signing certificate to the key chain
 if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
  out3=$(security import ${INSTALLER_CERT} -A 2>&1)
  exitcode3=$?
  if [ -n "$out3" ]; then
    if [ $exitcode3 -eq 0 ]; then
        echo "$out3"
    else
        if [ "$out3" != "${SEC_DUP_MSG}" ]; then
            echo "$out3" >&2
            exit $exitcode3
        else 
            echo "already imported installer certificate"
        fi
    fi
  fi
  rm ${INSTALLER_CERT}
 fi
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
  # notarize the binary
  if [[ ! -z "$CFD_NOTE_PASSWORD" ]]; then
    zip "${BINARY_NAME}.zip" ${BINARY_NAME} 
    xcrun altool --notarize-app -f "${BINARY_NAME}.zip" -t osx -u ${CFD_NOTE_USERNAME} -p ${CFD_NOTE_PASSWORD} --primary-bundle-id ${BUNDLE_ID}
  fi
 fi
 # creating build directory
 rm -rf $TARGET_DIRECTORY
 mkdir "${TARGET_DIRECTORY}"
 mkdir "${TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${TARGET_DIRECTORY}/scripts \
      --root ${TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      if [[ ! -z "$CFD_NOTE_PASSWORD" ]]; then
        xcrun altool --notarize-app -f ${PKGNAME} -t osx -u ${CFD_NOTE_USERNAME} -p ${CFD_NOTE_PASSWORD} --primary-bundle-id ${BUNDLE_ID}
        xcrun stapler staple ${PKGNAME}
      fi
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${TARGET_DIRECTORY}/scripts \
      --root ${TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleaning up the build directory
 rm -rf $TARGET_DIRECTORY
--- a/.teamcity/install-cloudflare-go.sh
+++ b/.teamcity/install-cloudflare-go.sh
@ -1,8 +0,0 @@
 # !/usr/bin/env bash
 cd /tmp
 git clone -q https://github.com/cloudflare/go
 cd go/src
 # https://github.com/cloudflare/go/tree/ec0a014545f180b0c74dfd687698657a9e86e310 is version go1.22.2-devel-cf
 git checkout -q ec0a014545f180b0c74dfd687698657a9e86e310
 ./make.bash
--- a/.teamcity/mac/build.sh
+++ b/.teamcity/mac/build.sh
@ -1,195 +0,0 @@
 #!/bin/bash
 set -exo pipefail
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
 then
  echo "TARGET_ARCH must be amd64 or arm64"
  exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 # Add code signing private key to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
  if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
    # write private key to disk and then import it keychain
    echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
    # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error 
    # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
    out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1) || true 
    exitcode=$?
    if [ -n "$out" ]; then
      if [ $exitcode -eq 0 ]; then
          echo "$out"
      else
          if [ "$out" != "${SEC_DUP_MSG}" ]; then
              echo "$out" >&2
              exit $exitcode
          fi
      fi
    fi
    rm ${CODE_SIGN_PRIV}
  fi
 fi
 # Add code signing certificate to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
  out1=$(security import ${CODE_SIGN_CERT} -A 2>&1) || true
  exitcode1=$?
  if [ -n "$out1" ]; then
    if [ $exitcode1 -eq 0 ]; then
        echo "$out1"
    else
        if [ "$out1" != "${SEC_DUP_MSG}" ]; then
            echo "$out1" >&2
            exit $exitcode1
        else 
            echo "already imported code signing certificate"
        fi
    fi
  fi
  rm ${CODE_SIGN_CERT}
 fi
 # Add package signing private key to the key chain
 if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
  if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
    # write private key to disk and then import it into the keychain
    echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
    out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1) || true
    exitcode2=$?
    if [ -n "$out2" ]; then
      if [ $exitcode2 -eq 0 ]; then
          echo "$out2"
      else
          if [ "$out2" != "${SEC_DUP_MSG}" ]; then
              echo "$out2" >&2
              exit $exitcode2
          fi
      fi
    fi
    rm ${INSTALLER_PRIV}
  fi
 fi
 # Add package signing certificate to the key chain
 if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
  out3=$(security import ${INSTALLER_CERT} -A 2>&1) || true
  exitcode3=$?
  if [ -n "$out3" ]; then
    if [ $exitcode3 -eq 0 ]; then
        echo "$out3"
    else
        if [ "$out3" != "${SEC_DUP_MSG}" ]; then
            echo "$out3" >&2
            exit $exitcode3
        else 
            echo "already imported installer certificate"
        fi
    fi
  fi
  rm ${INSTALLER_CERT}
 fi
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # cleanup the build directory because the previous execution might have failed without cleaning up.
 rm -rf "${TARGET_DIRECTORY}"
 export TARGET_OS="darwin"
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
 # notarize the binary
 # TODO: TUN-5789
 fi
 ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
 # creating build directory
 rm -rf $ARCH_TARGET_DIRECTORY
 mkdir -p "${ARCH_TARGET_DIRECTORY}"
 mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      # TODO: TUN-5789
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleanup build directory because this script is not ran within containers,
 # which might lead to future issues in subsequent runs.
 rm -rf "${TARGET_DIRECTORY}"
--- a/.teamcity/mac/install-cloudflare-go.sh
+++ b/.teamcity/mac/install-cloudflare-go.sh
@ -1,10 +0,0 @@
 rm -rf /tmp/go
 export GOCACHE=/tmp/gocache
 rm -rf $GOCACHE
 ./.teamcity/install-cloudflare-go.sh
 export PATH="/tmp/go/bin:$PATH"
 go version
 which go
 go env
--- a/.teamcity/package-windows.sh
+++ b/.teamcity/package-windows.sh
@ -1,19 +0,0 @@
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
 export BUILT_ARTIFACT_DIR=built_artifacts/
 export FINAL_ARTIFACT_DIR=artifacts/
 mkdir -p $BUILT_ARTIFACT_DIR
 mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
    # Copy exe into final directory
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe 
 done
--- a/.teamcity/update-homebrew.sh
+++ b/.teamcity/update-homebrew.sh
@ -0,0 +1,67 @@
 #!/bin/bash
 set -euo pipefail
 FILENAME="${PWD}/artifacts/cloudflared-darwin-amd64.tgz"
 if ! VERSION="$(git describe --tags --exact-match 2>/dev/null)" ; then
    echo "Skipping public release for an untagged commit."
    echo "##teamcity[buildStatus status='SUCCESS' text='Skipped due to lack of tag']"
    exit 0
 fi
 if [[ ! -f "$FILENAME" ]] ; then
    echo "Missing $FILENAME"
    exit 1
 fi
 if [[ "${GITHUB_PRIVATE_KEY:-}" == "" ]] ; then
    echo "Missing GITHUB_PRIVATE_KEY"
    exit 1
 fi
 # upload to s3 bucket for use by Homebrew formula
 s3cmd \
    --acl-public --signature-v2 --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
    put "$FILENAME" "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz"
 s3cmd \
    --acl-public --signature-v2 --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
    cp "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz" "s3://cftunnel-docs/dl/cloudflared-stable-darwin-amd64.tgz"
 SHA256=$(sha256sum "$FILENAME" | cut -b1-64)
 # set up git (note that UserKnownHostsFile is an absolute path so we can cd wherever)
 mkdir -p tmp
 ssh-keyscan -t rsa github.com > tmp/github.txt
 echo "$GITHUB_PRIVATE_KEY" > tmp/private.key
 chmod 0400 tmp/private.key
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PWD/tmp/github.txt -i $PWD/tmp/private.key -o IdentitiesOnly=yes"
 # clone Homebrew repo into tmp/homebrew-cloudflare
 git clone git@github.com:cloudflare/homebrew-cloudflare.git tmp/homebrew-cloudflare    
 cd tmp/homebrew-cloudflare
 git checkout -f master
 git reset --hard origin/master
 # modify cloudflared.rb
 URL="https://packages.argotunnel.com/dl/cloudflared-$VERSION-darwin-amd64.tgz"
 tee cloudflared.rb <<EOF
 class Cloudflared < Formula
  desc 'Argo Tunnel'
  homepage 'https://developers.cloudflare.com/argo-tunnel/'
  url '$URL'
  sha256 '$SHA256'
  version '$VERSION'
  def install
    bin.install 'cloudflared'
  end
 end
 EOF
 # push cloudflared.rb
 git add cloudflared.rb
 git diff
 git config user.name "cloudflare-warp-bot"
 git config user.email "warp-bot@cloudflare.com"
 git commit -m "Release Argo Tunnel $VERSION"
 git push -v origin master
--- a/.teamcity/windows/builds.ps1
+++ b/.teamcity/windows/builds.ps1
@ -1,28 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Relative path to working directory
 $CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
 cd $CloudflaredDirectory
 Write-Output "Building for amd64"
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 go env
 go version
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:CGO_ENABLED = 0
 $env:TARGET_ARCH = "386"
 make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 copy .\cloudflared.exe .\cloudflared-windows-386.exe
--- a/.teamcity/windows/component-test.ps1
+++ b/.teamcity/windows/component-test.ps1
@ -1,47 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $WorkingDirectory = Get-Location
 $CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
 go env
 go version
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 python --version
 python -m pip --version
 cd $CloudflaredDirectory
 go env
 go version
 Write-Output "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 echo $LASTEXITCODE
 Write-Output "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 & go test -failfast -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 Write-Output "Running component tests"
 python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt
 python component-tests/setup.py --type create
 python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
 if ($LASTEXITCODE -ne 0) {
    python component-tests/setup.py --type cleanup
    throw "Failed component tests"
 }
 python component-tests/setup.py --type cleanup
--- a/.teamcity/windows/install-cloudflare-go.ps1
+++ b/.teamcity/windows/install-cloudflare-go.ps1
@ -1,16 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 Write-Output "Downloading cloudflare go..."
 Set-Location "$Env:Temp"
 git clone -q https://github.com/cloudflare/go
 Write-Output "Building go..."
 cd go/src
 # https://github.com/cloudflare/go/tree/ec0a014545f180b0c74dfd687698657a9e86e310 is version go1.22.2-devel-cf
 git checkout -q ec0a014545f180b0c74dfd687698657a9e86e310
 & ./make.bat
 Write-Output "Installed"
--- a/.teamcity/windows/install-go-msi.ps1
+++ b/.teamcity/windows/install-go-msi.ps1
@ -1,20 +0,0 @@
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $GoMsiVersion = "go1.22.2.windows-amd64.msi"
 Write-Output "Downloading go installer..."
 Set-Location "$Env:Temp"
 (New-Object System.Net.WebClient).DownloadFile(
    "https://go.dev/dl/$GoMsiVersion",
    "$Env:Temp\$GoMsiVersion"
 )
 Write-Output "Installing go..."
 Install-Package "$Env:Temp\$GoMsiVersion" -Force
 # Go installer updates global $PATH
 go env
 Write-Output "Installed"
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,169 +1,4 @@
-## 2024.2.1
+**Experimental**: This is a new format for release notes. The format and availability is subject to change.
 ### Notices
 - Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).
 ## 2023.9.0
 ### Notices
 - The `warp-routing` `enabled: boolean` flag is no longer supported in the configuration file. Warp Routing traffic (eg TCP, UDP, ICMP) traffic is proxied to cloudflared if routes to the target tunnel are configured. This change does not affect remotely managed tunnels, but for locally managed tunnels, users that might be relying on this feature flag to block traffic should instead guarantee that tunnel has no Private Routes configured for the tunnel.
 ## 2023.7.0
 ### New Features
 - You can now enable additional diagnostics over the management.argotunnel.com service for your active cloudflared connectors via a new runtime flag `--management-diagnostics` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`). This feature is provided as opt-in and requires the flag to enable. Endpoints such as /metrics provides your prometheus metrics endpoint another mechanism to be reached. Additionally /debug/pprof/(goroutine|heap) are also introduced to allow for remotely retrieving active pprof information from a running cloudflared connector.
 ## 2023.4.1
 ### New Features
 - You can now stream your logs from your remote cloudflared to your local terminal with `cloudflared tail <TUNNEL-ID>`. This new feature requires the remote cloudflared to be version 2023.4.1 or higher.
 ## 2023.3.2
 ### Notices
 - Due to the nature of QuickTunnels (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/trycloudflare/) and its intended usage for testing and experiment of Cloudflare Tunnels, starting from 2023.3.2, QuickTunnels only make a single connection to the edge. If users want to use Tunnels in a production environment, they should move to Named Tunnels instead. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/remote/#set-up-a-tunnel-remotely-dashboard-setup)
 ## 2023.3.1
 ### Breaking Change
 - Running a tunnel without ingress rules defined in configuration file nor from the CLI flags will no longer provide a default ingress rule to localhost:8080 and instead will return HTTP response code 503 for all incoming HTTP requests.
 ### Security Fixes
 - Windows 32 bit machines MSI now defaults to Program Files to install cloudflared. (See CVE-2023-1314). The cloudflared client itself is unaffected. This just changes how the installer works on 32 bit windows machines.
 ### Bug Fixes
 - Fixed a bug that would cause running tunnel on Bastion mode and without ingress rules to crash.
 ## 2023.2.2
 ### Notices
 - Legacy tunnels were officially deprecated on December 1, 2022. Starting with this version, cloudflared no longer supports connecting legacy tunnels.
 - h2mux tunnel connection protocol is no longer supported. Any tunnels still configured to use this protocol will alert and use http2 tunnel protocol instead. We recommend using quic protocol for all tunnels going forward.
 ## 2023.2.1
 ### Bug fixes
 - Fixed a bug in TCP connection proxy that could result in the connection being closed before all data was written.
 - cloudflared now correctly aborts body write if connection to origin service fails after response headers were sent already.
 - Fixed a bug introduced in the previous release where debug endpoints were removed.
 ## 2022.12.0
 ### Improvements
 - cloudflared now attempts to try other edge addresses before falling back to a lower protocol.
 - cloudflared tunnel no longer spins up a quick tunnel. The call has to be explicit and provide a --url flag.
 - cloudflared will now randomly pick the first or second region to connect to instead of always connecting to region2 first.
 ## 2022.9.0
 ### New Features
 - cloudflared now rejects ingress rules with invalid http status codes for http_status.
 ## 2022.8.1
 ### New Features
 - cloudflared now remembers if it connected to a certain protocol successfully. If it did, it does not fall back to a lower
  protocol on connection failures.
 ## 2022.7.1
 ### New Features
 - It is now possible to connect cloudflared tunnel to Cloudflare Global Network with IPv6. See `cloudflared tunnel --help` and look for `edge-ip-version` for more information. For now, the default behavior is to still connect with IPv4 only.
 ### Bug Fixes
 - Several bug fixes related with QUIC transport (used between cloudflared tunnel and Cloudflare Global Network). Updating to this version is highly recommended.
 ## 2022.4.0
 ### Bug Fixes
 - `cloudflared tunnel run` no longer logs the Tunnel token or JSON credentials in clear text as those are the secret
 that allows to run the Tunnel.
 ## 2022.3.4
 ### New Features
 - It is now possible to retrieve the credentials that allow to run a Tunnel in case you forgot/lost them. This is
 achievable with: `cloudflared tunnel token --cred-file /path/to/file.json TUNNEL`. This new feature only works for
 Tunnels created with cloudflared version 2022.3.0 or more recent.
 ### Bug Fixes
 - `cloudflared service install` now starts the underlying agent service on Linux operating system (similarly to the
 behaviour in Windows and MacOS).
 ## 2022.3.3
 ### Bug Fixes
 - `cloudflared service install` now starts the underlying agent service on Windows operating system (similarly to the
 behaviour in MacOS).
 ## 2022.3.1
 ### Bug Fixes
 - Various fixes to the reliability of `quic` protocol, including an edge case that could lead to cloudflared crashing.
 ## 2022.3.0
 ### New Features
 - It is now possible to configure Ingress Rules to point to an origin served by unix socket with either HTTP or HTTPS.
 If the origin starts with `unix:/` then we assume HTTP (existing behavior). Otherwise, the origin can start with
 `unix+tls:/` for HTTPS.
 ## 2022.2.1
 ### New Features
 - This project now has a new LICENSE that is more compliant with open source purposes.
 ### Bug Fixes
 - Various fixes to the reliability of `quic` protocol.
 ## 2022.1.3
 ### New Features
 - New `cloudflared tunnel vnet` commands to allow for private routing to be virtualized. This means that the same CIDR
 can now be used to point to two different Tunnels with `cloudflared tunnel route ip` command. More information will be
 made available on blog.cloudflare.com and developers.cloudflare.com/cloudflare-one once the feature is globally available.
 ### Bug Fixes
 - Correctly handle proxying UDP datagrams with no payload.
 - Bug fix for origins that use Server-Sent Events (SSE).
 ## 2022.1.0
 ### Improvements
 - If a specific `protocol` property is defined (e.g. for `quic`), cloudflared no longer falls back to an older protocol
 (such as `http2`) in face of connectivity errors. This is important because some features are only supported in a specific
 protocol (e.g. UDP proxying only works for `quic`). Hence, if a user chooses a protocol, cloudflared now adheres to it
 no matter what.
 ### Bug Fixes
 - Stopping cloudflared running with `quic` protocol now respects graceful shutdown.
 ## 2021.12.2
 ### Bug Fixes
 - Fix logging when `quic` transport is used and UDP traffic is proxied.
 - FIPS compliant cloudflared binaries will now be released as separate artifacts. Recall that these are only for linux
 and amd64.
 ## 2021.12.1
 ### Bug Fixes
 - Fixes Github issue #530 where cloudflared 2021.12.0 could not reach origins that were HTTPS and using certain encryption
 methods forbidden by FIPS compliance (such as Let's Encrypt certificates). To address this fix we have temporarily reverted
 FIPS compliance from amd64 linux binaries that was recently introduced (or fixed actually as it was never working before).
 ## 2021.12.0
 ### New Features
 - Cloudflared binary released for amd64 linux is now FIPS compliant.
 ### Improvements
 - Logging about connectivity to Cloudflare edge now only yields `ERR` level logging if there are no connections to
 Cloudflare edge that are active. Otherwise it logs `WARN` level.
 ### Bug Fixes
 - Fixes Github issue #501.
 ## 2021.11.0
 ### Improvements
 - Fallback from `protocol:quic` to `protocol:http2` immediately if UDP connectivity isn't available. This could be because of a firewall or 
 egress rule.
 ## 2021.10.4
 ### Improvements
 - Collect quic transport metrics on RTT, packets and bytes transferred.
 ### Bug Fixes
 - Fix race condition that was writing to the connection after the http2 handler returns.
 ## 2021.9.2
 ### New features
 - `cloudflared` can now run with `quic` as the underlying tunnel transport protocol. To try it, change or add "protocol: quic" to your config.yml file or
 run cloudflared with the `--protocol quic` flag. e.g:
    `cloudflared tunnel --protocol quic run <tunnel-name>`
 ### Bug Fixes
 - Fixed some generic transport bugs in `quic` mode. It's advised to upgrade to at least this version (2021.9.2) when running `cloudflared`
 with `quic` protocol.
 - `cloudflared` docker images will now show version.
 ## 2021.8.4
 ### Improvements
--- a/10
+++ b/10
@ -1,7 +1,7 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.22.2 as builder
+FROM golang:1.16.4 as builder
 ENV GO111MODULE=on \
    CGO_ENABLED=0 \
    TARGET_GOOS=${TARGET_GOOS} \
@ -12,15 +12,11 @@ WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
-RUN PATH="/tmp/go/bin:$PATH" make cloudflared
+RUN make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot
+FROM gcr.io/distroless/base-debian10:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -1,29 +0,0 @@
 # use a builder image for building cloudflare
 FROM golang:1.22.2 as builder
 ENV GO111MODULE=on \
    CGO_ENABLED=0
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
 RUN GOOS=linux GOARCH=amd64 PATH="/tmp/go/bin:$PATH" make cloudflared
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian11:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 # run as non-privileged user
 USER nonroot
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@ -1,29 +0,0 @@
 # use a builder image for building cloudflare
 FROM golang:1.22.2 as builder
 ENV GO111MODULE=on \
    CGO_ENABLED=0
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
 RUN GOOS=linux GOARCH=arm64 PATH="/tmp/go/bin:$PATH" make cloudflared
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian11:nonroot-arm64
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 # run as non-privileged user
 USER nonroot
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
--- a/313
+++ b/313
@ -1,202 +1,155 @@
 SERVICES AGREEMENT
-                                 Apache License
+Your installation of this software is symbol of your signature indicating that
-                           Version 2.0, January 2004
+you accept the terms of this Services Agreement (this "Agreement").  This
-                        http://www.apache.org/licenses/
+Agreement is a legal agreement between you (either an individual or a single
 entity) and CloudFlare, Inc. for the services being provided to you by
 CloudFlare or its authorized representative (the "Services"), including any
 computer software and any associated media, printed materials, and "online" or
 electronic documentation provided in connection with the Services (the
 "Software" and together with the Services are hereinafter collectively referred
 to as the "Solution").  If the user is not an individual, then "you" means your
 company, its officers, members, employees, agents, representatives, successors
 and assigns.  BY USING THE SOLUTION, YOU ARE INDICATING THAT YOU HAVE READ, AND
 AGREE TO BE BOUND BY, THE POLICIES, TERMS, AND CONDITIONS SET FORTH BELOW IN
 THEIR ENTIRETY WITHOUT LIMITATION OR QUALIFICATION, AS WELL AS BY ALL APPLICABLE
 LAWS AND REGULATIONS, AS IF YOU HAD HANDWRITTEN YOUR NAME ON A CONTRACT.  IF YOU
 DO NOT AGREE TO THESE TERMS AND CONDITIONS, YOU MAY NOT USE THE SOLUTION.
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+1.    GRANT OF RIGHTS
-   1. Definitions.
+1.1	Grant of License.  The Solution is licensed by CloudFlare and its
 licensors, not sold.  Subject to the terms and conditions of this Agreement,
 CloudFlare hereby grants you a nonexclusive, nonsublicensable, nontransferable
 license to use the Solution.  You may examine source code, if provided to you,
 solely for the limited purpose of evaluating the Software for security flaws.
 You may also use the Service to create derivative works which are exclusively
 compatible with any CloudFlare product serviceand no other product or service.
 This license applies to the parts of the Solution developed by CloudFlare.  The
 Solution may also incorporate externally maintained libraries and other open software.
 These resources may be governed by other licenses.
-      "License" shall mean the terms and conditions for use, reproduction,
+1.2	Restrictions.  The license granted herein is granted solely to you and
-      and distribution as defined by Sections 1 through 9 of this document.
+not, by implication or otherwise, to any of your parents, subsidiaries or
 affiliates.  No right is granted hereunder to use the Solution to perform
 services for third parties. All rights not expressly granted hereunder are
 reserved to CloudFlare.  You may not use the Solution except as explicitly
 permitted under this Agreement.  You are expressly prohibited from modifying,
 adapting, translating, preparing derivative works from, decompiling, reverse
 engineering, disassembling or otherwise attempting to derive source code from
 the Software used to provide the Services or any internal data files generated
 by the Solution.  You are also prohibited from removing, obscuring or altering
 any copyright notice, trademarks, or other proprietary rights notices affixed to
 or associated with the Solution.
-      "Licensor" shall mean the copyright owner or entity authorized by
+1.3	Ownership.  As between the parties, CloudFlare and/or its licensors own
-      the copyright owner that is granting the License.
+and shall retain all right, title, and interest in and to the Solution,
 including any and all technology embodied therein, including all copyrights,
 patents, trade secrets, trade dress and other proprietary rights associated
 therewith, and any derivative works created there from.
-      "Legal Entity" shall mean the union of the acting entity and all
+2.	LIMITATION OF LIABILITY
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
-      "You" (or "Your") shall mean an individual or Legal Entity
+YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT DOWNLOADING THE SOFTWARE IS AT YOUR
-      exercising permissions granted by this License.
+SOLE RISK.  THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTY OF ANY KIND
 AND CLOUDFLARE, ITS LICENSORS AND ITS AUTHORIZED REPRESENTATIVES (TOGETHER FOR
 PURPOSES HEREOF, "CLOUDFLARE") EXPRESSLY DISCLAIM ALL WARRANTIES, EXPRESS OR
 IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  CLOUDFLARE DOES NOT
 WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR
 REQUIREMENTS, OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR
 ERROR-FREE, OR THAT DEFECTS IN THE SOFTWARE WILL BE CORRECTED.  FURTHERMORE,
 CLOUDFLARE DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE SOFTWARE
 OR RELATED DOCUMENTATION IN TERMS OF THEIR CORRECTNESS, ACCURACY, RELIABILITY,
 OR OTHERWISE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY CLOUDFLARE SHALL
 CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF THIS WARRANTY.
-      "Source" form shall mean the preferred form for making modifications,
+3.	CONFIDENTIALITY
      including but not limited to software source code, documentation
      source, and configuration files.
-      "Object" form shall mean any form resulting from mechanical
+It may be necessary during the set up and performance of the Solution for the
-      transformation or translation of a Source form, including but
+parties to exchange Confidential Information. "Confidential Information" means
-      not limited to compiled object code, generated documentation,
+any information whether oral, or written, of a private, secret, proprietary or
-      and conversions to other media types.
+confidential nature, concerning either party or its business operations,
 including without limitation: (a) your data and (b) CloudFlare's access control
 systems, specialized network equipment and techniques related to the Solution,
 use policies, which include trade secrets of CloudFlare and its licensors. Each
 party agrees to use the same degree of care to protect the confidentiality of
 the Confidential Information of the other party and to prevent its unauthorized
 use or dissemination as it uses to protect its own Confidential Information of a
 similar nature, but in no event shall exercise less than due diligence and
 reasonable care. Each party agrees to use the Confidential Information of the
 other party only for purposes related to the performance of this Agreement. All
 Confidential Information remains the property of the party disclosing the
 information and no license or other rights to Confidential Information is
 granted or implied hereby.
-      "Work" shall mean the work of authorship, whether in Source or
+4.	TERM AND TERMINATION
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
-      "Derivative Works" shall mean any work, whether in Source or Object
+4.1	Term.  This Agreement shall be effective upon download or install of the
-      form, that is based on (or derived from) the Work and for which the
+Software.
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
-      "Contribution" shall mean any work of authorship, including
+4.2	Termination. This Agreement may be terminated by CloudFlare or its
-      the original version of the Work and any modifications or additions
+authorized representative by written notice to you if any of the following
-      to that Work or Derivative Works thereof, that is intentionally
+events occur:  (i) you fail to pay any amounts due for the Services and the
-      submitted to Licensor for inclusion in the Work by the copyright owner
+Solution when due and after written notice of such nonpayment has been given to
-      or by an individual or Legal Entity authorized to submit on behalf of
+you; (ii) you are in material breach of any term, condition, or provision of
-      the copyright owner. For the purposes of this definition, "submitted"
+this Agreement or any other agreement executed by you with CloudFlare or its
-      means any form of electronic, verbal, or written communication sent
+authorized representative in connection with the provision of the Solution and
-      to the Licensor or its representatives, including but not limited to
+Services (a "Related Agreement"); or (iii) you terminate or suspend your
-      communication on electronic mailing lists, source code control systems,
+business, becomes subject to any bankruptcy or insolvency proceeding under
-      and issue tracking systems that are managed by, or on behalf of, the
+federal or state statutes, or become insolvent or subject to direct control by a
-      Licensor for the purpose of discussing and improving the Work, but
+trustee, receiver or similar authority.
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
-      "Contributor" shall mean Licensor and any individual or Legal Entity
+4.3	Effect of Termination.  Upon the termination of this Agreement for any
-      on behalf of whom a Contribution has been received by Licensor and
+reason: (1) all license rights granted hereunder shall terminate and (2) all
-      subsequently incorporated within the Work.
+Confidential Information shall be returned to the disclosing party or destroyed.
-   2. Grant of Copyright License. Subject to the terms and conditions of
+5.	MISCELLANEOUS
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
-   3. Grant of Patent License. Subject to the terms and conditions of
+5.1	Assignment.  You may not assign any of your rights or delegate any of
-      this License, each Contributor hereby grants to You a perpetual,
+your obligations under this Agreement, whether by operation of law or otherwise,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+without the prior express written consent of CloudFlare or its authorized
-      (except as stated in this section) patent license to make, have made,
+representative.  Any such assignment without the prior express written consent
-      use, offer to sell, sell, import, and otherwise transfer the Work,
+of CloudFlare or its authorized representative shall be void.  Subject to the
-      where such license applies only to those patent claims licensable
+foregoing, this Agreement will bind and inure to the benefit of the parties,
-      by such Contributor that are necessarily infringed by their
+their respective successors and permitted assigns.
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
-   4. Redistribution. You may reproduce and distribute copies of the
+5.2	Waiver and Amendment.  No modification, amendment or waiver of any
-      Work or Derivative Works thereof in any medium, with or without
+provision of this Agreement shall be effective unless in writing and signed by
-      modifications, and in Source or Object form, provided that You
+the party to be charged.  No failure or delay by either party in exercising any
-      meet the following conditions:
+right, power, or remedy under this Agreement, except as specifically provided
 herein, shall operate as a waiver of any such right, power or remedy.  Without
 limiting the foregoing, terms and conditions on any purchase orders or similar
 materials submitted by you to CloudFlare or its authorized representative shall
 be of no force or effect.
-      (a) You must give any other recipients of the Work or
+5.3	Governing Law.  This Agreement shall be governed by the laws of the State
-          Derivative Works a copy of this License; and
+of California, USA, excluding conflict of laws and provisions, and excluding the
 United Nations Convention on Contracts for the International Sale of Goods.
-      (b) You must cause any modified files to carry prominent notices
+5.4	Notices.  All notices, demands or consents required or permitted under
-          stating that You changed the files; and
+this Agreement shall be in writing.  Notice shall be sent to you at the e-mail
 address provided by you to CloudFlare or its authorized representative in
 connection with the Solution.
-      (c) You must retain, in the Source form of any Derivative Works
+5.5	Independent Contractors. The parties are independent contractors.
-          that You distribute, all copyright, patent, trademark, and
+Neither party shall be deemed to be an employee, agent, partner or legal
-          attribution notices from the Source form of the Work,
+representative of the other for any purpose and neither shall have any right,
-          excluding those notices that do not pertain to any part of
+power or authority to create any obligation or responsibility on behalf of the
-          the Derivative Works; and
+other.
-      (d) If the Work includes a "NOTICE" text file as part of its
+5.6	Severability.  If any provision of this Agreement is held by a court of
-          distribution, then any Derivative Works that You distribute must
+competent jurisdiction to be contrary to law, such provision shall be changed
-          include a readable copy of the attribution notices contained
+and interpreted so as to best accomplish the objectives of the original
-          within such NOTICE file, excluding those notices that do not
+provision to the fullest extent allowed by law and the remaining provisions of
-          pertain to any part of the Derivative Works, in at least one
+this Agreement shall remain in full force and effect.
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
-      You may add Your own copyright statement to Your modifications and
+5.7	Force Majeure.  CloudFlare shall not be liable to the other party for any
-      may provide additional or different license terms and conditions
+failure or delay in performance caused by reasons beyond its reasonable control.
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
-   5. Submission of Contributions. Unless You explicitly state otherwise,
+5.8	Complete Understanding.  This Agreement and the Related Agreement
-      any Contribution intentionally submitted for inclusion in the Work
+constitute the final, complete and exclusive agreement between the parties with
-      by You to the Licensor shall be under the terms and conditions of
+respect to the subject matter hereof, and supersedes all previous written and
-      this License, without any additional terms or conditions.
+oral agreements and communications related to the subject matter of this
-      Notwithstanding the above, nothing herein shall supersede or modify
+Agreement.  To the extent this Agreement and the Related Agreement conflict,
-      the terms of any separate license agreement you may have executed
+this Agreement shall control.
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.
   Copyright [yyyy] [name of copyright owner]
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--- a/270
+++ b/270
@ -1,59 +1,30 @@
-# The targets cannot be run in parallel
+VERSION       := $(shell git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*")
 .NOTPARALLEL:
 VERSION       := $(shell git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 MSI_VERSION   := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut -c2-)
 #MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
 #e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
-ifeq ($(ORIGINAL_NAME), true)
+ifeq ($(FIPS), true)
-	# Used for builds that want FIPS compilation but want the artifacts generated to still have the original name.
+	GO_BUILD_TAGS := $(GO_BUILD_TAGS) fips
-	BINARY_NAME := cloudflared
+endif
-else ifeq ($(FIPS), true)
+
-	# Used for FIPS compliant builds that do not match the case above.
+ifneq ($(GO_BUILD_TAGS),)
-	BINARY_NAME := cloudflared-fips
+	GO_BUILD_TAGS := -tags $(GO_BUILD_TAGS)
 else
 	# Used for all other (non-FIPS) builds.
 	BINARY_NAME := cloudflared
 endif
 ifeq ($(NIGHTLY), true)
-	DEB_PACKAGE_NAME := $(BINARY_NAME)-nightly
+	DEB_PACKAGE_NAME := cloudflared-nightly
 	NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared
 else
-	DEB_PACKAGE_NAME := $(BINARY_NAME)
+	DEB_PACKAGE_NAME := cloudflared
 endif
 DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
-VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
+VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
 ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
 endif
-LINK_FLAGS :=
+IMPORT_PATH   := github.com/cloudflare/cloudflared
-ifeq ($(FIPS), true)
+PACKAGE_DIR   := $(CURDIR)/packaging
-	LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
+INSTALL_BINDIR := /usr/bin/
-	# Prevent linking with libc regardless of CGO enabled or not.
+MAN_DIR := /usr/share/man/man1/
 	GO_BUILD_TAGS := $(GO_BUILD_TAGS) osusergo netgo fips
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "main.BuildType=FIPS"
 endif
 LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)'
 ifneq ($(GO_BUILD_TAGS),)
 	GO_BUILD_TAGS := -tags "$(GO_BUILD_TAGS)"
 endif
 ifeq ($(debug), 1)
 	GO_BUILD_TAGS += -gcflags="all=-N -l"
 endif
 IMPORT_PATH    := github.com/cloudflare/cloudflared
 PACKAGE_DIR    := $(CURDIR)/packaging
 PREFIX         := /usr
 INSTALL_BINDIR := $(PREFIX)/bin/
 INSTALL_MANDIR := $(PREFIX)/share/man/man1/
 CF_GO_PATH     := /tmp/go
 PATH           := $(CF_GO_PATH)/bin:$(PATH)
 LOCAL_ARCH ?= $(shell uname -m)
 ifneq ($(GOARCH),)
@ -72,8 +43,6 @@ else ifeq ($(LOCAL_ARCH),arm64)
    TARGET_ARCH ?= arm64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 4),armv)
    TARGET_ARCH ?= arm
 else ifeq ($(LOCAL_ARCH),s390x)
    TARGET_ARCH ?= s390x
 else
    $(error This system's architecture $(LOCAL_ARCH) isn't supported)
 endif
@ -87,16 +56,14 @@ else ifeq ($(LOCAL_OS),windows)
    TARGET_OS ?= windows
 else ifeq ($(LOCAL_OS),freebsd)
    TARGET_OS ?= freebsd
 else ifeq ($(LOCAL_OS),openbsd)
    TARGET_OS ?= openbsd
 else
    $(error This system's OS $(LOCAL_OS) isn't supported)
 endif
 ifeq ($(TARGET_OS), windows)
-	EXECUTABLE_PATH=./$(BINARY_NAME).exe
+	EXECUTABLE_PATH=./cloudflared.exe
 else
-	EXECUTABLE_PATH=./$(BINARY_NAME)
+	EXECUTABLE_PATH=./cloudflared
 endif
 ifeq ($(FLAVOR), centos-7)
@ -105,19 +72,6 @@ else
 	TARGET_PUBLIC_REPO ?= $(FLAVOR)
 endif
 ifneq ($(TARGET_ARM), )
 	ARM_COMMAND := GOARM=$(TARGET_ARM)
 endif
 ifeq ($(TARGET_ARM), 7) 
 	PACKAGE_ARCH := armhf
 else
 	PACKAGE_ARCH := $(TARGET_ARCH)
 endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256
 .PHONY: all
 all: cloudflared test
@ -126,121 +80,187 @@ clean:
 	go clean
 .PHONY: cloudflared
-cloudflared:
+cloudflared: 
 ifeq ($(FIPS), true)
 	$(info Building cloudflared with go-fips)
-	cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
+	-test -f fips/fips.go && mv fips/fips.go fips/fips.go.linux-amd64
 	mv fips/fips.go.linux-amd64 fips/fips.go
 endif
-	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
+
 	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
 ifeq ($(FIPS), true)
-	rm -f cmd/cloudflared/fips.go
+	mv fips/fips.go fips/fips.go.linux-amd64
 	./check-fips.sh cloudflared
 endif
 .PHONY: container
 container:
 	docker build --build-arg=TARGET_ARCH=$(TARGET_ARCH) --build-arg=TARGET_OS=$(TARGET_OS) -t cloudflare/cloudflared-$(TARGET_OS)-$(TARGET_ARCH):"$(VERSION)" .
 .PHONY: generate-docker-version
 generate-docker-version:
 	echo latest $(VERSION) > versions
 .PHONY: test
 test: vet
 ifndef CI
-	go test -v -mod=vendor -race $(LDFLAGS) ./...
+	go test -v -mod=vendor -race $(VERSION_FLAGS) ./...
 else
 	@mkdir -p .cover
-	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
+	go test -v -mod=vendor -race $(VERSION_FLAGS) -coverprofile=".cover/c.out" ./...
 	go tool cover -html ".cover/c.out" -o .cover/all.html
 endif
 .PHONY: cover
 cover:
 	@echo ""
 	@echo "=====> Total test coverage: <====="
 	@echo ""
 	# Print the overall coverage here for quick access.
 	$Q go tool cover -func ".cover/c.out" | grep "total:" | awk '{print $$3}'
 	# Generate the HTML report that can be viewed from the browser in CI.
 	$Q go tool cover -html ".cover/c.out" -o .cover/all.html
 .PHONY: test-ssh-server
 test-ssh-server:
 	docker-compose -f ssh_server_tests/docker-compose.yml up
-.PHONY: install-go
+define publish_package
-install-go:
+	chmod 664 cloudflared*.$(1); \
-	rm -rf ${CF_GO_PATH}
+	for HOST in $(CF_PKG_HOSTS); do \
-	./.teamcity/install-cloudflare-go.sh
+		ssh-keyscan -t rsa $$HOST >> ~/.ssh/known_hosts; \
 		scp -p -4 cloudflared*.$(1) cfsync@$$HOST:/state/cf-pkg/staging/$(2)/$(TARGET_PUBLIC_REPO)/cloudflared/; \
 	done
 endef
-.PHONY: cleanup-go
+.PHONY: publish-deb
-cleanup-go:
+publish-deb: cloudflared-deb
-	rm -rf ${CF_GO_PATH}
+	$(call publish_package,deb,apt)
-cloudflared.1: cloudflared_man_template
+.PHONY: publish-rpm
-	sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
+publish-rpm: cloudflared-rpm
 	$(call publish_package,rpm,yum)
 install: install-go cloudflared cloudflared.1 cleanup-go
 	mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
 	install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
 	install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
 # When we build packages, the package name will be FIPS-aware.
 # But we keep the binary installed by it to be named "cloudflared" regardless.
 define build_package
 	mkdir -p $(PACKAGE_DIR)
 	cp cloudflared $(PACKAGE_DIR)/cloudflared
-	cp cloudflared.1 $(PACKAGE_DIR)/cloudflared.1
+	cat cloudflared_man_template | sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' > $(PACKAGE_DIR)/cloudflared.1
-	fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
+	fakeroot fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
-		--description 'Cloudflare Tunnel daemon' \
+		--description 'Cloudflare Argo tunnel daemon' \
 		--vendor 'Cloudflare' \
-		--license 'Apache License Version 2.0' \
+		--license 'Cloudflare Service Agreement' \
 		--url 'https://github.com/cloudflare/cloudflared' \
 		-m 'Cloudflare <support@cloudflare.com>' \
-	    -a $(PACKAGE_ARCH) -v $(VERSION) -n $(DEB_PACKAGE_NAME) $(RPM_DIGEST) $(NIGHTLY_FLAGS) --after-install postinst.sh --after-remove postrm.sh \
+		-a $(TARGET_ARCH) -v $(VERSION) -n $(DEB_PACKAGE_NAME) $(NIGHTLY_FLAGS) --after-install postinst.sh --after-remove postrm.sh \
-		cloudflared=$(INSTALL_BINDIR) cloudflared.1=$(INSTALL_MANDIR)
+		cloudflared=$(INSTALL_BINDIR) cloudflared.1=$(MAN_DIR)
 endef
 .PHONY: cloudflared-deb
-cloudflared-deb: cloudflared cloudflared.1
+cloudflared-deb: cloudflared
 	$(call build_package,deb)
 .PHONY: cloudflared-rpm
-cloudflared-rpm: cloudflared cloudflared.1
+cloudflared-rpm: cloudflared
 	$(call build_package,rpm)
 .PHONY: cloudflared-pkg
-cloudflared-pkg: cloudflared cloudflared.1
+cloudflared-pkg: cloudflared
 	$(call build_package,osxpkg)
 .PHONY: cloudflared-msi
-cloudflared-msi:
+cloudflared-msi: cloudflared
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
-.PHONY: github-release-dryrun
+.PHONY: cloudflared-darwin-amd64.tgz
-github-release-dryrun:
+cloudflared-darwin-amd64.tgz: cloudflared
-	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION) --dry-run
+	tar czf cloudflared-darwin-amd64.tgz cloudflared
 	rm cloudflared
 .PHONY: cloudflared-junos
 cloudflared-junos: cloudflared jetez-certificate.pem jetez-key.pem
 	jetez --source . \
 		  -j jet.yaml \
 		  --key jetez-key.pem \
 		  --cert jetez-certificate.pem \
 		  --version $(VERSION)
 	rm jetez-*.pem
 jetez-certificate.pem:
 ifndef JETEZ_CERT
 	$(error JETEZ_CERT not defined)
 endif
 	@echo "Writing JetEZ certificate"
 	@echo "$$JETEZ_CERT" > jetez-certificate.pem
 jetez-key.pem:
 ifndef JETEZ_KEY
 	$(error JETEZ_KEY not defined)
 endif
 	@echo "Writing JetEZ key"
 	@echo "$$JETEZ_KEY" > jetez-key.pem
 .PHONY: publish-cloudflared-junos
 publish-cloudflared-junos: cloudflared-junos cloudflared-x86-64.latest.s3
 ifndef S3_ENDPOINT
 	$(error S3_HOST not defined)
 endif
 ifndef S3_URI
 	$(error S3_URI not defined)
 endif
 ifndef S3_ACCESS_KEY
 	$(error S3_ACCESS_KEY not defined)
 endif
 ifndef S3_SECRET_KEY
 	$(error S3_SECRET_KEY not defined)
 endif
 	sha256sum cloudflared-x86-64-$(VERSION).tgz | awk '{printf $$1}' > cloudflared-x86-64-$(VERSION).tgz.shasum
 	s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
 		put cloudflared-x86-64-$(VERSION).tgz $(S3_URI)/cloudflared-x86-64-$(VERSION).tgz
 	s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
 		put cloudflared-x86-64-$(VERSION).tgz.shasum $(S3_URI)/cloudflared-x86-64-$(VERSION).tgz.shasum
 	dpkg --compare-versions "$(VERSION)" gt "$(shell cat cloudflared-x86-64.latest.s3)" && \
 		echo -n "$(VERSION)" > cloudflared-x86-64.latest && \
 		s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
 			put cloudflared-x86-64.latest $(S3_URI)/cloudflared-x86-64.latest || \
 		echo "Latest version not updated"
 cloudflared-x86-64.latest.s3:
 	s4cmd --endpoint-url $(S3_ENDPOINT) --force \
 		get $(S3_URI)/cloudflared-x86-64.latest cloudflared-x86-64.latest.s3
 .PHONY: homebrew-upload
 homebrew-upload: cloudflared-darwin-amd64.tgz
 	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $$^ $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz
 	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz  $(S3_URI)/cloudflared-stable-$1.tgz
 .PHONY: homebrew-release
 homebrew-release: homebrew-upload
 	./publish-homebrew-formula.sh cloudflared-darwin-amd64.tgz $(VERSION) homebrew-cloudflare
 .PHONY: github-release
-github-release:
+github-release: cloudflared
 	python3 github_release.py --path $(EXECUTABLE_PATH) --release-version $(VERSION)
 .PHONY: github-release-built-pkgs
 github-release-built-pkgs:
 	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
 .PHONY: github-message
 github-message:
 	python3 github_message.py --release-version $(VERSION)
-.PHONY: r2-linux-release
+.PHONY: github-mac-upload
-r2-linux-release:
+github-mac-upload:
-	python3 ./release_pkgs.py
+	python3 github_release.py --path artifacts/cloudflared-darwin-amd64.tgz --release-version $(VERSION) --name cloudflared-darwin-amd64.tgz
 	python3 github_release.py --path artifacts/cloudflared-amd64.pkg --release-version $(VERSION) --name cloudflared-amd64.pkg
-.PHONY: capnp
+.PHONY: tunnelrpc-deps
-capnp:
+tunnelrpc-deps:
 	which capnp  # https://capnproto.org/install.html
-	which capnpc-go  # go install zombiezen.com/go/capnproto2/capnpc-go@latest
+	which capnpc-go  # go get zombiezen.com/go/capnproto2/capnpc-go
-	capnp compile -ogo tunnelrpc/proto/tunnelrpc.capnp tunnelrpc/proto/quic_metadata_protocol.capnp
+	capnp compile -ogo tunnelrpc/tunnelrpc.capnp
 .PHONY: quic-deps
 quic-deps: 
 	which capnp 
 	which capnpc-go
 	capnp compile -ogo quic/schema/quic_metadata_protocol.capnp
 .PHONY: vet
 vet:
-	go vet -mod=vendor github.com/cloudflare/cloudflared/...
+	go vet -mod=vendor ./...
 	# go get github.com/sudarshan-reddy/go-sumtype (don't do this in build directory or this will cause vendor issues)
 	# Note: If you have github.com/BurntSushi/go-sumtype then you might have to use the repo above instead
 	# for now because it uses an older version of golang.org/x/tools.
 	which go-sumtype  
 	go-sumtype $$(go list -mod=vendor ./...)
-.PHONY: fmt
+.PHONY: goimports
-fmt:
+goimports:
-	goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
+	for d in $$(go list -mod=readonly -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc) ; do goimports -format-only -local github.com/cloudflare/cloudflared -w $$d ; done
--- a/README.md
+++ b/README.md
@ -1,58 +1,41 @@
-# Cloudflare Tunnel client
+# Argo Tunnel client
 Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
 Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.
 You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.
 You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
 Contains the command-line client for Argo Tunnel, a tunneling daemon that proxies any local webserver through the Cloudflare network. Extensive documentation can be found in the [Argo Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
 ## Before you get started
-Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
+Before you use Argo Tunnel, you'll need to complete a few steps in the Cloudflare dashboard. The website you add to Cloudflare will be used to route traffic to your Tunnel.
-website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
+
 routing), but for legacy reasons this requirement is still necessary:
 1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
 2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
 ## Installing `cloudflared`
-Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
+Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases here on the `cloudflared` GitHub repository.
 * You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
 * Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
 * You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
 * To build from source, first you need to download the go toolchain by running `./.teamcity/install-cloudflare-go.sh` and follow the output. Then you can run `make cloudflared`
 User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
 User documentation for Argo Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
 ## Creating Tunnels and routing traffic
-Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
+Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels that serve traffic for hostnames in your account.
 * Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
-* Route traffic to that Tunnel:
+* Route traffic to that Tunnel with [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns) or with a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
 ## TryCloudflare
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare).
+Want to test Argo Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/trycloudflare).
 ## Deprecated versions
-Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
+Cloudflare currently supports versions of `cloudflared` 2020.5.1 and later. Breaking changes unrelated to feature availability may be introduced that will impact versions released prior to 2020.5.1. You can read more about upgrading `cloudflared` in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#updating-cloudflared).
-For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
+| Version(s) | Deprecation status |
 |---|---|
 | 2020.5.1 and later | Supported |
 | Versions prior to 2020.5.1 | No longer supported |
--- a/751
+++ b/751
@ -1,754 +1,3 @@
 2024.9.1
 - 2024-09-10 Revert Release 2024.9.0
 2024.9.0
 - 2024-09-10 TUN-8621: Fix cloudflared version in change notes.
 - 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
 - 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
 - 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
 - 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
 2024.8.3
 - 2024-08-15 TUN-8591 login command without extra text
 - 2024-03-25 remove code that will not be executed
 - 2024-03-25 remove code that will not be executed
 2024.8.2
 - 2024-08-05 TUN-8583: change final directory of artifacts
 - 2024-08-05 TUN-8585: Avoid creating GH client when dry-run is true
 2024.7.3
 - 2024-07-31 TUN-8546: Fix final artifacts paths
 2024.7.2
 - 2024-07-17 TUN-8546: rework MacOS build script
 2024.7.1
 - 2024-07-16 TUN-8543: use -p flag to create intermediate directories
 2024.7.0
 - 2024-07-05 TUN-8520: add macos arm64 build
 - 2024-07-05 TUN-8523: refactor makefile and cfsetup
 - 2024-07-02 TUN-8504: Use pre-installed python version instead of downloading it on Windows builds
 - 2024-06-26 TUN-8489: Add default noop logger for capnprpc
 - 2024-06-25 TUN-8487: Add user-agent for quick-tunnel requests
 - 2023-12-12 TUN-8057: cloudflared uses new PQ curve ID
 2024.6.1
 - 2024-06-12 TUN-8461: Don't log Failed to send session payload if the error is EOF
 - 2024-06-07 TUN-8456: Update quic-go to 0.45 and collect mtu and congestion control metrics
 - 2024-06-06 TUN-8452: Add flag to control QUIC stream-level flow control limit
 - 2024-06-06 TUN-8451: Log QUIC flow control frames and transport parameters received
 - 2024-06-05 TUN-8449: Add flag to control QUIC connection-level flow control limit and increase default to 30MB
 2024.6.0
 - 2024-05-30 TUN-8441: Correct UDP total sessions metric to a counter and add new ICMP metrics
 - 2024-05-28 TUN-8422: Add metrics for capnp method calls
 - 2024-05-24 TUN-8424: Refactor capnp registration server
 - 2024-05-23 TUN-8427: Fix BackoffHandler's internally shared clock structure
 - 2024-05-21 TUN-8425: Remove ICMP binding for quick tunnels
 - 2024-05-20 TUN-8423: Deprecate older legacy tunnel capnp interfaces
 - 2024-05-15 TUN-8419: Add capnp safe transport
 - 2024-05-13 TUN-8415: Refactor capnp rpc into a single module
 2024.5.0
 - 2024-05-07 TUN-8407: Upgrade go to version 1.22.2
 2024.4.1
 - 2024-04-22 TUN-8380: Add sleep before requesting quick tunnel as temporary fix for component tests
 - 2024-04-19 TUN-8374: Close UDP socket if registration fails
 - 2024-04-18 TUN-8371: Bump quic-go to v0.42.0
 - 2024-04-03 TUN-8333: Bump go-jose dependency to v4
 - 2024-04-02 TUN-8331: Add unit testing for AccessJWTValidator middleware
 2024.4.0
 - 2024-04-02 feat: provide short version (#1206)
 - 2024-04-02 Format code
 - 2024-01-18 feat: auto tls sni
 - 2023-12-24 fix checkInPingGroup bugs
 - 2023-12-15 Add environment variables for TCP tunnel hostname / destination / URL.
 2024.3.0
 - 2024-03-14 TUN-8281: Run cloudflared query list tunnels/routes endpoint in a paginated way
 - 2024-03-13 TUN-8297: Improve write timeout logging on safe_stream.go
 - 2024-03-07 TUN-8290: Remove `|| true` from postrm.sh
 - 2024-03-05 TUN-8275: Skip write timeout log on "no network activity"
 - 2024-01-23 Update postrm.sh to fix incomplete uninstall
 - 2024-01-05 fix typo in errcheck for response parsing logic in CreateTunnel routine
 - 2023-12-23 Update linux_service.go
 - 2023-12-07 ci: bump actions/checkout to v4
 - 2023-12-07 ci/check: bump actions/setup-go to v5
 - 2023-04-28 check.yaml: bump actions/setup-go to v4
 2024.2.1
 - 2024-02-20 TUN-8242: Update Changes.md file with new remote diagnostics behaviour
 - 2024-02-19 TUN-8238: Fix type mismatch introduced by fast-forward
 - 2024-02-16 TUN-8243: Collect metrics on the number of QUIC frames sent/received
 - 2024-02-15 TUN-8238: Refactor proxy logging
 - 2024-02-14 TUN-8242: Enable remote diagnostics by default
 - 2024-02-12 TUN-8236: Add write timeout to quic and tcp connections
 - 2024-02-09 TUN-8224: Fix safety of TCP stream logging, separate connect and ack log messages
 2024.2.0
 - 2024-02-07 TUN-8224: Count and collect metrics on stream connect successes/errors
 2024.1.5
 - 2024-01-22 TUN-8176: Support ARM platforms that don't have an FPU or have it enabled in kernel
 - 2024-01-15 TUN-8158: Bring back commit e6537418859afcac29e56a39daa08bcabc09e048 and fixes infinite loop on linux when the socket is closed
 2024.1.4
 - 2024-01-19 Revert "TUN-8158: Add logging to confirm when ICMP reply is returned to the edge"
 2024.1.3
 - 2024-01-15 TUN-8161: Fix broken ARM build for armv6
 - 2024-01-15 TUN-8158: Add logging to confirm when ICMP reply is returned to the edge
 2024.1.2
 - 2024-01-11 TUN-8147: Disable ECN usage due to bugs in detecting if supported
 - 2024-01-11 TUN-8146: Fix export path for install-go command
 - 2024-01-11 TUN-8146: Fix Makefile targets should not be run in parallel and install-go script was missing shebang
 - 2024-01-10 TUN-8140: Remove homebrew scripts
 2024.1.1
 - 2024-01-10 TUN-8134: Revert installed prefix to /usr
 - 2024-01-09 TUN-8130: Fix path to install go for mac build
 - 2024-01-09 TUN-8129: Use the same build command between branch and release builds
 - 2024-01-09 TUN-8130: Install go tool chain in /tmp on build agents
 - 2024-01-09 TUN-8134: Install cloudflare go as part of make install
 - 2024-01-08 TUN-8118: Disable FIPS module to build with go-boring without CGO_ENABLED
 2024.1.0
 - 2024-01-01 TUN-7934: Update quic-go to a version that queues datagrams for better throughput and drops large datagram
 - 2023-12-20 TUN-8072: Need to set GOCACHE in mac go installation script
 - 2023-12-17 TUN-8072: Add script to download cloudflare go for Mac build agents
 - 2023-12-15 Fix nil pointer dereference segfault when passing "null" config json to cloudflared tunnel ingress validate (#1070)
 - 2023-12-15 configuration.go: fix developerPortal link (#960)
 - 2023-12-14 tunnelrpc/pogs: fix dropped test errors (#1106)
 - 2023-12-14 cmd/cloudflared/updater: fix dropped error (#1055)
 - 2023-12-14 use os.Executable to discover the path to cloudflared (#1040)
 - 2023-12-14 Remove extraneous `period` from Path Environment Variable (#1009)
 - 2023-12-14 Use CLI context when running tunnel (#597)
 - 2023-12-14 TUN-8066: Define scripts to build on Windows agents
 - 2023-12-11 TUN-8052: Update go to 1.21.5
 - 2023-12-07 TUN-7970: Default to enable post quantum encryption for quic transport
 - 2023-12-04 TUN-8006: Update quic-go to latest upstream
 - 2023-11-15 VULN-44842 Add a flag that allows users to not send the Access JWT to stdout
 - 2023-11-13 TUN-7965: Remove legacy incident status page check
 - 2023-11-13 AUTH-5682 Org token flow in Access logins should pass CF_AppSession cookie
 2023.10.0
 - 2023-10-06 TUN-7864: Document cloudflared versions support
 - 2023-10-03 CUSTESC-33731: Make rule match test report rule in 0-index base
 - 2023-09-22 TUN-7824: Fix usage of systemctl status to detect which services are installed
 - 2023-09-20 TUN-7813: Improve tunnel delete command to use cascade delete
 - 2023-09-20 TUN-7787: cloudflared only list ip routes targeted for cfd_tunnel
 - 2023-09-15 TUN-7787: Refactor cloudflared to use new route endpoints based on route IDs
 - 2023-09-08 TUN-7776: Remove warp-routing flag from cloudflared
 - 2023-09-05 TUN-7756: Clarify that QUIC is mandatory to support ICMP proxying
 2023.8.2
 - 2023-08-25 TUN-7700: Implement feature selector to determine if connections will prefer post quantum cryptography
 - 2023-08-22 TUN-7707: Use X25519Kyber768Draft00 curve when post-quantum feature is enabled
 2023.8.1
 - 2023-08-23 TUN-7718: Update R2 Token to no longer encode secret
 2023.8.0
 - 2023-07-26 TUN-7584: Bump go 1.20.6
 2023.7.3
 - 2023-07-25 TUN-7628: Correct Host parsing for Access
 - 2023-07-24 TUN-7624: Fix flaky TestBackoffGracePeriod test in cloudflared
 2023.7.2
 - 2023-07-19 TUN-7599: Onboard cloudflared to Software Dashboard
 - 2023-07-19 TUN-7587: Remove junos builds
 - 2023-07-18 TUN-7597: Add flag to disable auto-update services to be installed
 - 2023-07-17 TUN-7594: Add nightly arm64 cloudflared internal deb publishes
 - 2023-07-14 TUN-7586: Upgrade go-jose/go-jose/v3 and core-os/go-oidc/v3
 - 2023-07-14 TUN-7589: Remove legacy golang.org/x/crypto/ssh/terminal package usage
 - 2023-07-14 TUN-7590: Remove usages of ioutil
 - 2023-07-14 TUN-7585: Remove h2mux compression
 - 2023-07-14 TUN-7588: Update package coreos/go-systemd
 2023.7.1
 - 2023-07-13 TUN-7582: Correct changelog wording for --management-diagnostics
 - 2023-07-12 TUN-7575: Add option to disable PTMU discovery over QUIC
 2023.7.0
 - 2023-07-06 TUN-7558: Flush on Writes for StreamBasedOriginProxy
 - 2023-07-05 TUN-7553: Add flag to enable management diagnostic services
 - 2023-07-05 TUN-7564: Support cf-trace-id for cloudflared access
 - 2023-07-05 TUN-7477: Decrement UDP sessions on shutdown
 - 2023-07-03 TUN-7545: Add support for full bidirectionally streaming with close signal propagation
 - 2023-06-30 TUN-7549: Add metrics route to management service
 - 2023-06-30 TUN-7551: Complete removal of raven-go to sentry-go
 - 2023-06-30 TUN-7550: Add pprof endpoint to management service
 - 2023-06-29 TUN-7543: Add --debug-stream flag to cloudflared access ssh
 - 2023-06-26 TUN-6011: Remove docker networks from ICMP Proxy test
 - 2023-06-20 AUTH-5328 Pass cloudflared_token_check param when running cloudflared access login
 2023.6.1
 - 2023-06-19 TUN-7480: Added a timeout for unregisterUDP.
 - 2023-06-16 TUN-7477: Add UDP/TCP session metrics
 - 2023-06-14 TUN-7468: Increase the limit of incoming streams
 2023.6.0
 - 2023-06-15 TUN-7471: Fixes cloudflared not closing the quic stream on unregister UDP session
 - 2023-06-09 TUN-7463: Add default ingress rule if no ingress rules are provided when updating the configuration
 - 2023-05-31 TUN-7447: Add a cover build to report code coverage
 2023.5.1
 - 2023-05-16 TUN-7424: Add CORS headers to host_details responses
 - 2023-05-11 TUN-7421: Add *.cloudflare.com to permitted Origins for management WebSocket requests
 - 2023-05-05 TUN-7404: Default configuration version set to -1
 - 2023-05-05 TUN-7227: Migrate to devincarr/quic-go
 2023.5.0
 - 2023-04-27 TUN-7398: Add support for quic safe stream to set deadline
 - 2023-04-26 TUN-7394: Retry StartFirstTunnel on quic.ApplicationErrors
 - 2023-04-26 TUN-7392: Ignore release checksum upload if asset already uploaded
 - 2023-04-25 TUN-7392: Ignore duplicate artifact uploads for github release
 - 2023-04-25 TUN-7393: Add json output for cloudflared tail
 - 2023-04-24 TUN-7390: Remove Debian stretch builds
 2023.4.2
 - 2023-04-24 TUN-7133: Add sampling support for streaming logs
 - 2023-04-21 TUN-7141: Add component tests for streaming logs
 - 2023-04-21 TUN-7373: Streaming logs override for same actor
 - 2023-04-20 TUN-7383: Bump requirements.txt
 - 2023-04-19 TUN-7361: Add a label to override hostname
 - 2023-04-19 TUN-7378: Remove RPC debug logs
 - 2023-04-18 TUN-7360: Add Get Host Details handler in management service
 - 2023-04-17 AUTH-3122 Verify that Access tokens are still valid in curl command
 - 2023-04-17 TUN-7129: Categorize TCP logs for streaming logs
 - 2023-04-17 TUN-7130: Categorize UDP logs for streaming logs
 - 2023-04-10 AUTH-4887 Add aud parameter to token transfer url
 2023.4.1
 - 2023-04-13 TUN-7368: Report destination address for TCP requests in logs
 - 2023-04-12 TUN-7134: Acquire token for cloudflared tail
 - 2023-04-12 TUN-7131: Add cloudflared log event to connection messages and enable streaming logs
 - 2023-04-11 TUN-7132 TUN-7136: Add filter support for streaming logs
 - 2023-04-06 TUN-7354: Don't warn for empty ingress rules when using --token
 - 2023-04-06 TUN-7128: Categorize logs from public hostname locations
 - 2023-04-06 TUN-7351: Add streaming logs session ping and timeout
 - 2023-04-06 TUN-7335: Fix cloudflared update not working in windows
 2023.4.0
 - 2023-04-07 TUN-7356: Bump golang.org/x/net package to 0.7.0
 - 2023-04-07 TUN-7357: Bump to go 1.19.6
 - 2023-04-06 TUN-7127: Disconnect logger level requirement for management
 - 2023-04-05 TUN-7332: Remove legacy tunnel force flag
 - 2023-04-05 TUN-7135: Add cloudflared tail
 - 2023-04-04 Add suport for OpenBSD (#916)
 - 2023-04-04 Fix typo (#918)
 - 2023-04-04 TUN-7125: Add management streaming logs WebSocket protocol
 - 2023-03-30 TUN-9999: Remove classic tunnel component tests
 - 2023-03-30 TUN-7126: Add Management logger io.Writer
 - 2023-03-29 TUN-7324: Add http.Hijacker to connection.ResponseWriter
 - 2023-03-29 TUN-7333: Default features checkable at runtime across all packages
 - 2023-03-21 TUN-7124: Add intercept ingress rule for management requests
 2023.3.1
 - 2023-03-13 TUN-7271: Return 503 status code when no ingress rules configured
 - 2023-03-10 TUN-7272: Fix cloudflared returning non supported status service which breaks configuration migration
 - 2023-03-09 TUN-7259: Add warning for missing ingress rules
 - 2023-03-09 TUN-7268: Default to Program Files as location for win32
 - 2023-03-07 TUN-7252: Remove h2mux connection
 - 2023-03-07 TUN-7253: Adopt http.ResponseWriter for connection.ResponseWriter
 - 2023-03-06 TUN-7245: Add bastion flag to origin service check
 - 2023-03-06 EDGESTORE-108: Remove deprecated s3v2 signature
 - 2023-03-02 TUN-7226: Fixed a missed rename
 2023.3.0
 - 2023-03-01 GH-352: Add Tunnel CLI option "edge-bind-address" (#870)
 - 2023-03-01 Fixed WIX template to allow MSI upgrades (#838)
 - 2023-02-28 TUN-7213: Decode Base64 encoded key before writing it
 - 2023-02-28 check.yaml: update actions to v3 (#876)
 - 2023-02-27 TUN-7213: Debug homebrew-cloudflare  build
 - 2023-02-15 RTG-2476 Add qtls override for Go 1.20
 2023.2.2
 - 2023-02-22 TUN-7197: Add connIndex tag to debug messages of incoming requests
 - 2023-02-08 TUN-7167: Respect protocol overrides with --token
 - 2023-02-06 TUN-7065: Remove classic tunnel creation
 - 2023-02-06 TUN-6938: Force h2mux protocol to http2 for named tunnels
 - 2023-02-06 TUN-6938: Provide QUIC as first in protocol list
 - 2023-02-03 TUN-7158: Correct TCP tracing propagation
 - 2023-02-01 TUN-7151: Update changes file with latest release notices
 2023.2.1
 - 2023-02-01 TUN-7065: Revert Ingress Rule check for named tunnel configurations
 - 2023-02-01 Revert "TUN-7065: Revert Ingress Rule check for named tunnel configurations"
 - 2023-02-01 Revert "TUN-7065: Remove classic tunnel creation"
 2023.1.0
 - 2023-01-10 TUN-7064: RPM digests are now sha256 instead of md5sum
 - 2023-01-04 RTG-2418 Update qtls
 - 2022-12-24 TUN-7057: Remove dependency github.com/gorilla/mux
 - 2022-12-24 TUN-6724: Migrate to sentry-go from raven-go
 2022.12.1
 - 2022-12-20 TUN-7021: Fix proxy-dns not starting when cloudflared tunnel is run
 - 2022-12-15 TUN-7010: Changelog for release 2022.12.0
 2022.12.0
 - 2022-12-14 TUN-6999: cloudflared should attempt other edge addresses before falling back on protocol
 - 2022-12-13 TUN-7004: Dont show local config dirs for remotely configured tuns
 - 2022-12-12 TUN-7003: Tempoarily disable erroneous notarize-app
 - 2022-12-12 TUN-7003: Add back a missing fi
 - 2022-12-07 TUN-7000: Reduce metric cardinality of closedConnections metric by removing error as tag
 - 2022-12-07 TUN-6994: Improve logging config file not found
 - 2022-12-07 TUN-7002: Randomise first region selection
 - 2022-12-07 TUN-6995: Disable quick-tunnels spin up by default
 - 2022-12-05 TUN-6984: Add bash set x to improve visibility during builds
 - 2022-12-05 TUN-6984: [CI] Ignore security import errors for code_sigining
 - 2022-12-05 TUN-6984: [CI] Don't fail on unset.
 - 2022-11-30 TUN-6984: Set euo pipefile for homebrew builds
 2022.11.1
 - 2022-11-29 TUN-6981: We should close UDP socket if failed to connecto to edge
 - 2022-11-25 CUSTESC-23757: Fix a bug where a wildcard ingress rule would match an host without starting with a dot
 - 2022-11-24 TUN-6970: Print newline when printing tunnel token
 - 2022-11-22 TUN-6963: Refactor Metrics service setup
 2022.11.0
 - 2022-11-16 Revert "TUN-6935: Cloudflared should use APIToken instead of serviceKey"
 - 2022-11-16 TUN-6929: Use same protocol for other connections as first one
 - 2022-11-14 TUN-6941: Reduce log level to debug when failing to proxy ICMP reply
 - 2022-11-14 TUN-6935: Cloudflared should use APIToken instead of serviceKey
 - 2022-11-14 TUN-6935: Cloudflared should use APIToken instead of serviceKey
 - 2022-11-11 TUN-6937: Bump golang.org/x/* packages to new release tags
 - 2022-11-10 ZTC-234: macOS tests
 - 2022-11-09 TUN-6927: Refactor validate access configuration to allow empty audTags only
 - 2022-11-08 ZTC-234: Replace ICMP funnels when ingress connection changes
 - 2022-11-04 TUN-6917: Bump go to 1.19.3
 - 2022-11-02 Issue #574: Better ssh config for short-lived cert (#763)
 - 2022-10-28 TUN-6898: Fix bug handling IPv6 based ingresses with missing port
 - 2022-10-28 TUN-6898: Refactor addPortIfMissing
 2022.10.3
 - 2022-10-24 TUN-6871: Add default feature to cloudflared to support EOF on QUIC connections
 - 2022-10-19 TUN-6876: Fix flaky TestTraceICMPRouterEcho by taking account request span can return before reply
 - 2022-10-18 TUN-6867: Clear spans right after they are serialized to avoid returning duplicate spans
 2022.10.2
 - 2022-10-18 TUN-6869: Fix Makefile complaining about missing GO packages
 - 2022-10-18 TUN-6864: Don't reuse port in quic unit tests
 - 2022-10-18 TUN-6868: Return left padded tracing ID when tracing identity is converted to string
 2022.10.1
 - 2022-10-16 TUN-6861: Trace ICMP on Windows
 - 2022-10-15 TUN-6860: Send access configuration keys to the edge
 - 2022-10-14 TUN-6858: Trace ICMP reply
 - 2022-10-13 TUN-6855: Add DatagramV2Type for IP packet with trace and tracing spans
 - 2022-10-13 TUN-6856: Refactor to lay foundation for tracing ICMP
 - 2022-10-13 TUN-6604: Trace icmp echo request on Linux and Darwin
 - 2022-10-12 Fix log message (#591)
 - 2022-10-12 TUN-6853: Reuse source port when connecting to the edge for quic connections
 - 2022-10-11 TUN-6829: Allow user of datagramsession to control logging level of errors
 - 2022-10-10 RTG-2276 Update qtls and go mod tidy
 - 2022-10-05 Add post-quantum flag to quick tunnel
 - 2022-10-05 TUN-6823: Update github release message to pull from KV
 - 2022-10-04 TUN-6825: Fix cloudflared:version images require arch hyphens
 - 2022-10-03 TUN-6806: Add ingress rule number to log when filtering due to middlware handler
 - 2022-08-17 Label correct container
 - 2022-08-16 Fix typo in help text for `cloudflared tunnel route lb`
 - 2022-07-18 drop usage of cat when sed is invoked to generate the manpage
 - 2021-03-15 update-build-readme
 - 2021-03-15 fix link
 2022.10.0
 - 2022-09-30 TUN-6755: Remove unused publish functions
 - 2022-09-30 TUN-6813: Only proxy ICMP packets when warp-routing is enabled
 - 2022-09-29 TUN-6811: Ping group range should be parsed as int32
 - 2022-09-29 TUN-6812: Drop IP packets if ICMP proxy is not initialized
 - 2022-09-28 TUN-6716: Document limitation of Windows ICMP proxy
 - 2022-09-28 TUN-6810: Add component test for post-quantum
 - 2022-09-27 TUN-6715: Provide suggestion to add cloudflared to ping_group_range if it failed to open ICMP socket
 - 2022-09-22 TUN-6792: Fix brew core release by not auditing the formula
 - 2022-09-22 TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware
 - 2022-09-22 TUN-6775: Add middleware.Handler verification to ProxyHTTP
 - 2022-09-22 TUN-6791: Calculate ICMPv6 checksum
 - 2022-09-22 TUN-6801: Add punycode alternatives for ingress rules
 - 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier
 - 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier
 - 2022-09-21 TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware
 - 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier
 - 2022-09-20 TUN-6741: ICMP proxy tries to listen on specific IPv4 & IPv6 when possible
 2022.9.1
 - 2022-09-20 TUN-6777: Fix race condition in TestFunnelIdleTimeout
 - 2022-09-20 TUN-6595: Enable datagramv2 and icmp proxy by default
 - 2022-09-20 TUN-6773: Add access based configuration to ingress.OriginRequestConfig
 - 2022-09-19 TUN-6778: Cleanup logs about ICMP
 - 2022-09-19 TUN-6779: cloudflared should also use the root CAs from system pool to validate edge certificate
 - 2022-09-19 TUN-6780: Add support for certReload to also include support for client certificates
 - 2022-09-16 TUN-6767: Build ICMP proxy for Windows only when CGO is enabled
 - 2022-09-15 TUN-6590: Use Windows Teamcity agent to build binary
 - 2022-09-13 TUN-6592: Decrement TTL and return ICMP time exceed if it's 0
 - 2022-09-09 TUN-6749: Fix icmp_generic build
 - 2022-09-09 TUN-6744: On posix platforms, assign unique echo ID per (src, dst, echo ID)
 - 2022-09-08 TUN-6743: Support ICMPv6 echo on Windows
 - 2022-09-08 TUN-6689: Utilize new RegisterUDPSession to begin tracing
 - 2022-09-07 TUN-6688: Update RegisterUdpSession capnproto to include trace context
 - 2022-09-06 TUN-6740: Detect no UDP packets allowed and fallback from QUIC in that case
 - 2022-09-06 TUN-6654: Support ICMPv6 on Linux and Darwin
 - 2022-09-02 TUN-6696: Refactor flow into funnel and close idle funnels
 - 2022-09-02 TUN-6718: Bump go and go-boring 1.18.6
 - 2022-08-29 TUN-6531: Implement ICMP proxy for Windows using IcmpSendEcho
 - 2022-08-24 RTG-1339 Support post-quantum hybrid key exchange
 2022.9.0
 - 2022-09-05 TUN-6737: Fix datagramV2Type should be declared in its own block so it starts at 0
 - 2022-09-01 TUN-6725: Fix testProxySSEAllData
 - 2022-09-01 TUN-6726: Fix maxDatagramPayloadSize for Windows QUIC datagrams
 - 2022-09-01 TUN-6729: Fix flaky TestClosePreviousProxies
 - 2022-09-01 TUN-6728: Verify http status code ingress rule
 - 2022-08-25 TUN-6695: Implement ICMP proxy for linux
 2022.8.4
 - 2022-08-31 TUN-6717: Update Github action to run with Go 1.19
 - 2022-08-31 TUN-6720: Remove forcibly closing connection during reconnect signal
 - 2022-08-29 Release 2022.8.3
 2022.8.3
 - 2022-08-26 TUN-6708: Fix replace flow logic
 - 2022-08-25 TUN-6705: Tunnel should retry connections forever
 - 2022-08-25 TUN-6704: Honor protocol flag when edge discovery is unreachable
 - 2022-08-25 TUN-6699: Add metric for packet too big dropped
 - 2022-08-24 TUN-6691: Properly error check for net.ErrClosed
 - 2022-08-22 TUN-6679: Allow client side of quic request to close body
 - 2022-08-22 TUN-6586: Change ICMP proxy to only build for Darwin and use echo ID to track flows
 - 2022-08-18 TUN-6530: Implement ICMPv4 proxy
 - 2022-08-17 TUN-6666: Define packet package
 - 2022-08-17 TUN-6667: DatagramMuxerV2 provides a method to receive RawPacket
 - 2022-08-16 TUN-6657: Ask for Tunnel ID and Configuration on Bug Report
 - 2022-08-16 TUN-6676: Add suport for trailers in http2 connections
 - 2022-08-11 TUN-6575: Consume cf-trace-id from incoming http2 TCP requests
 2022.8.2
 - 2022-08-16 TUN-6656: Docker for arm64 should not be deployed in an amd64 container
 2022.8.1
 - 2022-08-15 TUN-6617: Updated CHANGES.md for protocol stickiness
 - 2022-08-12 EDGEPLAT-3918: bump go and go-boring to 1.18.5
 - 2022-08-12 TUN-6652: Publish dockerfile for both amd64 and arm64
 - 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.
 - 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.
 - 2022-08-11 Revert "TUN-6617: Dont fallback to http2 if QUIC conn was successful."
 - 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.
 - 2022-08-01 TUN-6584: Define QUIC datagram v2 format to support proxying IP packets
 2022.8.0
 - 2022-08-10 TUN-6637: Upgrade quic-go
 - 2022-08-10 TUN-6646: Add support to SafeStreamCloser to close only write side of stream
 - 2022-08-09 TUN-6642: Fix unexpected close of quic stream triggered by upstream origin close
 - 2022-08-09 TUN-6639: Validate cyclic ingress configuration
 - 2022-08-08 TUN-6637: Upgrade go version and quic-go
 - 2022-08-08 TUN-6639: Validate cyclic ingress configuration
 - 2022-08-04 EDGEPLAT-3918: build cloudflared for Bookworm
 - 2022-08-02 Revert "TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span"
 - 2022-07-27 TUN-6601: Update gopkg.in/yaml.v3 references in modules
 - 2022-07-26 TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span
 - 2022-07-26 TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span
 - 2022-07-25 TUN-6598: Remove auto assignees on github issues
 - 2022-07-20 TUN-6583: Remove legacy --ui flag
 - 2022-07-20 cURL supports stdin and uses os pipes directly without copying
 - 2022-07-07 TUN-6517: Use QUIC stream context while proxying HTTP requests and TCP connections
 2022.7.1
 - 2022-07-06 TUN-6503: Fix transport fallback from QUIC in face of dial error "no network activity"
 2022.7.0
 - 2022-07-05 TUN-6499: Remove log that is per datagram
 - 2022-06-24 TUN-6460: Rename metric label location to edge_location
 - 2022-06-24 TUN-6459: Add cloudflared user-agent to access calls
 - 2022-06-17 TUN-6427: Differentiate between upstream request closed/canceled and failed origin requests
 - 2022-06-17 TUN-6388: Fix first tunnel connection not retrying
 - 2022-06-13 TUN-6384: Correct duplicate connection error to fetch new IP first
 - 2022-06-13 TUN-6373: Add edge-ip-version to remotely pushed configuration
 - 2022-06-07 TUN-6010: Add component tests for --edge-ip-version
 - 2022-05-20 TUN-6007: Implement new edge discovery algorithm
 - 2022-02-18 Ensure service install directories are created before writing file
 2022.6.3
 - 2022-06-20 TUN-6362: Add armhf support to cloudflare packaging
 2022.6.2
 - 2022-06-13 TUN-6381: Write error data on QUIC stream when we fail to talk to the origin; separate logging for protocol errors vs. origin errors.
 - 2022-06-17 TUN-6414: Remove go-sumtype from cloudflared build process
 - 2022-06-01 Add Http2Origin option to force HTTP/2 origin connections
 - 2022-06-02 fix ingress rules unit test
 - 2022-06-09 Update remaining OriginRequestConfig functions for Http2Origins
 - 2022-05-31 Add image source label to docker container.
 - 2022-05-10 Warp Private Network link updated
 2022.6.1
 - 2022-06-14 TUN-6395: Fix writing RPM repo data
 2022.6.0
 - 2022-06-14 Revert "TUN-6010: Add component tests for --edge-ip-version"
 - 2022-06-14 Revert "TUN-6373: Add edge-ip-version to remotely pushed configuration"
 - 2022-06-14 Revert "TUN-6384: Correct duplicate connection error to fetch new IP first"
 - 2022-06-14 Revert "TUN-6007: Implement new edge discovery algorithm"
 - 2022-06-13 TUN-6385: Don't share err between acceptStream loop and per-stream goroutines
 - 2022-06-13 TUN-6384: Correct duplicate connection error to fetch new IP first
 - 2022-06-13 TUN-6373: Add edge-ip-version to remotely pushed configuration
 - 2022-06-13 TUN-6380: Enforce connect and keep-alive timeouts for TCP connections in both WARP routing and websocket based TCP proxy.
 - 2022-06-11 Update issue templates
 - 2022-06-11 Amendment to previous PR
 - 2022-06-09 TUN-6347: Add TCP stream logs with FlowID
 - 2022-06-08 TUN-6361: Add cloudflared arm builds to pkging as well
 - 2022-06-07 TUN-6357: Add connector id to ready check endpoint
 - 2022-06-07 TUN-6010: Add component tests for --edge-ip-version
 - 2022-06-06 TUN-6191: Update quic-go to v0.27.1 and with custom patch to allow keep alive period to be configurable
 - 2022-06-03 TUN-6343: Fix QUIC->HTTP2 fallback
 - 2022-06-02 TUN-6339: Add config for IPv6 support
 - 2022-06-02 TUN-6341: Fix default config value for edge-ip-version
 - 2022-06-01 TUN-6323: Add Xenial and Trusty for Ubuntu pkging
 - 2022-05-31 TUN-6210: Add cloudflared.repo to make it easy for yum installs
 - 2022-05-30 TUN-6293: Update yaml v3 to latest hotfix
 - 2022-05-20 TUN-6007: Implement new edge discovery algorithm
 2022.5.3
 - 2022-05-30 TUN-6308: Add debug logs to see if packets are sent/received from edge
 - 2022-05-30 TUN-6301: Allow to update logger used by UDP session manager
 2022.5.2
 - 2022-05-23 TUN-6270: Import gpg keys from environment variables
 - 2022-05-24 TUN-6209: Improve feedback process if release_pkgs to deb and rpm fail
 - 2022-05-24 TUN-6280: Don't wrap qlog connection tracer for gatethering QUIC metrics since we're not writing qlog files.
 - 2022-05-25 TUN-6209: Sign RPM packages
 - 2022-05-25 TUN-6285: Upload pkg assets to repos when cloudflared is released.
 - 2022-05-24 TUN-6282: Upgrade golang to 1.17.10, go-boring to 1.17.9
 - 2022-05-26 TUN-6292: Debug builds for cloudflared
 - 2022-05-28 TUN-6304: Fixed some file permission issues
 - 2022-05-11 TUN-6197: Publish to brew core should not try to open the browser
 - 2022-05-12 TUN-5943: Add RPM support
 - 2022-05-18 TUN-6248: Fix panic in cloudflared during tracing when origin doesn't provide header map
 - 2022-05-18 TUN-6250: Add upstream response status code to tracing span attributes
 2022.5.1
 - 2022-05-06 TUN-6146: Release_pkgs is now a generic command line script
 - 2022-05-06 TUN-6185: Fix tcpOverWSOriginService not using original scheme for String representation
 - 2022-05-05 TUN-6175: Simply debian packaging by structural upload
 - 2022-05-05 TUN-5945: Added support for Ubuntu releases
 - 2022-05-04 TUN-6054: Create and upload deb packages to R2
 - 2022-05-03 TUN-6161: Set git user/email for brew core release
 - 2022-05-03 TUN-6166: Fix mocked QUIC transport for UDP proxy manager to return expected error
 - 2022-04-27 TUN-6016: Push local managed tunnels configuration to the edge
 2022.5.0
 - 2022-05-02 TUN-6158: Update golang.org/x/crypto
 - 2022-04-20 VULN-8383 Bump yaml.v2 to yaml.v3
 - 2022-04-21 TUN-6123: For a given connection with edge, close all datagram sessions through this connection when it's closed
 - 2022-04-20 TUN-6015: Add RPC method for pushing local config
 - 2022-04-21 TUN-6130: Fix vendoring due to case sensitive typo in package
 - 2022-04-27 TUN-6142: Add tunnel details support to RPC
 - 2022-04-28 TUN-6014: Add remote config flag as default feature
 - 2022-04-12 TUN-6000: Another fix for publishing to brew core
 - 2022-04-11 TUN-5990: Add otlp span export to response header
 - 2022-04-19 TUN-6070: First connection retries other edge IPs if the error is quic timeout(likely due to firewall blocking UDP)
 - 2022-04-11 TUN-6030: Add ttfb span for origin http request
 2022.4.1
 - 2022-04-11 TUN-6035: Reduce buffer size when proxying data
 - 2022-04-11 TUN-6038: Reduce buffer size used for proxying data
 - 2022-04-11 TUN-6043: Allow UI-managed Tunnels to fallback from QUIC but warn about that
 - 2022-04-07 TUN-6000 add version argument to bump-formula-pr
 - 2022-04-06 TUN-5989: Add in-memory otlp exporter
 2022.4.0
 - 2022-04-01 TUN-5973: Add backoff for non-recoverable errors as well
 - 2022-04-05 TUN-5992: Use QUIC protocol for remotely managed tunnels when protocol is unspecified
 - 2022-04-06 Update Makefile
 - 2022-04-06 TUN-5995: Update prometheus to 1.12.1 to avoid vulnerabilities
 - 2022-04-07 TUN-5995: Force prometheus v1.12.1 usage
 - 2022-04-07 TUN-4130: cloudflared docker images now have a latest tag
 - 2022-03-30 TUN-5842: Fix flaky TestConcurrentUpdateAndRead by making sure resources are released
 - 2022-03-30 carrier: fix dropped errors
 - 2022-03-25 TUN-5959: tidy go.mod
 - 2022-03-25 TUN-5958: Fix release to homebrew core
 - 2022-03-28 TUN-5960: Do not log the tunnel token or json credentials
 - 2022-03-28 TUN-5956: Add timeout to session manager APIs
 2022.3.4
 - 2022-03-22 TUN-5918: Clean up text in cloudflared tunnel --help
 - 2022-03-22 TUN-5895 run brew bump-formula-pr on release
 - 2022-03-22 TUN-5915: New cloudflared command to allow to retrieve the token credentials for a Tunnel
 - 2022-03-24 TUN-5933: Better messaging to help user when installing service if it is already installed
 - 2022-03-25 TUN-5954: Start cloudflared service in Linux too similarly to other OSs
 - 2022-03-14 TUN-5869: Add configuration endpoint in metrics server
 2022.3.3
 - 2022-03-17 TUN-5893: Start windows service on install, stop on uninstall. Previously user had to manually start the service after running 'cloudflared tunnel install' and stop the service before running uninstall command.
 - 2022-03-17 Revert "CC-796: Remove dependency on unsupported version of go-oidc"
 - 2022-03-18 TUN-5881: Clarify success (or lack thereof) of (un)installing cloudflared service
 - 2022-03-18 CC-796: Remove dependency on unsupported version of go-oidc
 - 2022-03-18 TUN-5907: Change notes for 2022.3.3
 2022.3.2
 - 2022-03-10 TUN-5833: Create constant for allow-remote-config
 - 2022-03-15 TUN-5867: Return error if service was already installed
 - 2022-03-16 TUN-5833: Send feature `allow_remote_config` if Tunnel is run with --token
 - 2022-03-08 TUN-5849: Remove configuration debug log
 - 2022-03-08 TUN-5850: Update CHANGES.md with latest releases
 - 2022-03-08 TUN-5851: Update all references to point to Apache License 2.0
 - 2022-03-07 TUN-5853 Add "install" make target and build package manager info into executable
 - 2022-03-08 TUN-5801: Add custom wrapper for OriginConfig for JSON serde
 - 2022-03-09 TUN-5703: Add prometheus metric for current configuration version
 - 2022-02-05 CC-796: Remove dependency on unsupported version of go-oidc
 2022.3.1
 - 2022-03-04 TUN-5837: Log panic recovery in http2 logic with debug level log
 - 2022-03-04  TUN-5696: HTTP/2 Configuration Update
 - 2022-03-04 TUN-5836: Avoid websocket#Stream function from crashing cloudflared with unexpected memory access
 - 2022-03-05 TUN-5836: QUIC transport no longer sets body to nil in any condition
 2022.3.0
 - 2022-03-02 TUN-5680: Adapt component tests for new service install based on token
 - 2022-02-21 TUN-5682: Remove name field from credentials
 - 2022-02-21 TUN-5681: Add support for running tunnel using Token
 - 2022-02-28 TUN-5824: Update updater no-update-in-shell link
 - 2022-02-28 TUN-5823: Warn about legacy flags that are ignored when ingress rules are used
 - 2022-02-28 TUN-5737: Support https protocol over unix socket origin
 - 2022-02-23 TUN-5679: Add support for service install using Tunnel Token
 2022.2.2
 - 2022-02-22 TUN-5754: Allow ingress validate to take plaintext option
 - 2022-02-17 TUN-5678: Cloudflared uses typed tunnel API
 2022.2.1
 - 2022-02-10 TUN-5184: Handle errors in bidrectional streaming (websocket#Stream) gracefully when 1 side has ended
 - 2022-02-14 Update issue templates
 - 2022-02-14 Update issue templates
 - 2022-02-11 TUN-5768: Update cloudflared license file
 - 2022-02-11 TUN-5698: Make ingress rules and warp routing dynamically configurable
 - 2022-02-14 TUN-5678: Adapt cloudflared to use new typed APIs
 - 2022-02-17 Revert "TUN-5678: Adapt cloudflared to use new typed APIs"
 - 2022-02-11 TUN-5697: Listen for UpdateConfiguration RPC in quic transport
 - 2022-02-04 TUN-5744: Add a test to make sure cloudflared uses scheme defined in ingress rule, not X-Forwarded-Proto header
 - 2022-02-07 TUN-5749: Refactor cloudflared to pave way for reconfigurable ingress - Split origin into supervisor and proxy packages - Create configManager to handle dynamic config
 - 2021-10-19 TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown
 2022.2.0
 - 2022-02-02 TUN-4947: Use http when talking to Unix sockets origins
 - 2022-02-02 TUN-5695: Define RPC method to update configuration
 - 2022-01-27 TUN-5621: Correctly manage QUIC stream closing
 - 2022-01-28 TUN-5702: Allow to deserialize config from JSON
 2022.1.3
 - 2022-01-21 TUN-5477: Unhide vnet commands
 - 2022-01-24 TUN-5669: Change network command to vnet
 - 2022-01-25 TUN-5675: Remove github.com/dgrijalva/jwt-go dependency by upgrading coredns version
 - 2022-01-27 TUN-5719: Re-attempt connection to edge with QUIC despite network error when there is no fallback
 - 2022-01-28 TUN-5724: Fix SSE streaming by guaranteeing we write everything we read
 - 2022-01-17 TUN-5547: Bump golang x/net package to fix http2 transport bugs
 - 2022-01-19 TUN-5659: Proxy UDP with zero-byte payload
 - 2021-10-22 Add X-Forwarded-Host for http proxy
 2022.1.2
 - 2022-01-13 TUN-5650: Fix pynacl version to 1.4.0 and pygithub version to 1.55 so release doesn't break unexpectedly
 2022.1.1
 - 2022-01-10 TUN-5631: Build everything with go 1.17.5
 - 2022-01-06 TUN-5623: Configure quic max datagram frame size to 1350 bytes for none Windows platforms
 2022.1.0
 - 2022-01-03 TUN-5612: Add support for specifying TLS min/max version
 - 2022-01-03 TUN-5612: Make tls min/max version public visible
 - 2022-01-03 TUN-5551: Internally published debian artifacts are now named just cloudflared even though they are FIPS compliant
 - 2022-01-04 TUN-5600: Close QUIC transports as soon as possible while respecting graceful shutdown
 - 2022-01-05 TUN-5616: Never fallback transport if user chooses it on purpose
 - 2022-01-05 TUN-5204: Unregister QUIC transports on disconnect
 - 2022-01-04 TUN-5600: Add coverage to component tests for various transports
 2021.12.4
 - 2021-12-27 TUN-5482: Refactor tunnelstore client related packages for more coherent package
 - 2021-12-27 TUN-5551: Change internally published debian package to be FIPS compliant
 - 2021-12-27 TUN-5551: Show whether the binary was built for FIPS compliance
 2021.12.3
 - 2021-12-22 TUN-5584: Changes for release 2021.12.2
 - 2021-12-22 TUN-5590: QUIC datagram max user payload is 1217 bytes
 - 2021-12-22 TUN-5593: Read full packet from UDP connection, even if it exceeds MTU of the transport. When packet length is greater than the MTU of the transport, we will silently drop packets (for now).
 - 2021-12-23 TUN-5597: Log session ID when session is terminated by edge
 2021.12.2
 - 2021-12-20 TUN-5571: Remove redundant session manager log, it's already logged in origin/tunnel.ServeQUIC
 - 2021-12-20 TUN-5570: Only log RPC server events at error level to reduce noise
 - 2021-12-14 TUN-5494: Send a RPC with terminate reason to edge if the session is closed locally
 - 2021-11-09 TUN-5551: Reintroduce FIPS compliance for linux amd64 now as separate binaries
 2021.12.1
 - 2021-12-16 TUN-5549: Revert "TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64"
 2021.12.0
 - 2021-12-13 TUN-5530: Get current time from ticker
 - 2021-12-15 TUN-5544: Update CHANGES.md for next release
 - 2021-12-07 TUN-5519: Adjust URL for virtual_networks endpoint to match what we will publish
 - 2021-12-02 TUN-5488: Close session after it's idle for a period defined by registerUdpSession RPC
 - 2021-12-09 TUN-5504: Fix upload of packages to public repo
 - 2021-11-30 TUN-5481: Create abstraction for Origin UDP Connection
 - 2021-11-30 TUN-5422: Define RPC to unregister session
 - 2021-11-26 TUN-5361: Commands for managing virtual networks
 - 2021-11-29 TUN-5362: Adjust route ip commands to be aware of virtual networks
 - 2021-11-23 TUN-5301: Separate datagram multiplex and session management logic from quic connection logic
 - 2021-11-10 TUN-5405: Update net package to v0.0.0-20211109214657-ef0fda0de508
 - 2021-11-10 TUN-5408: Update quic package to v0.24.0
 - 2021-11-12 Fix typos
 - 2021-11-13 Fix for Issue #501: Unexpected User-agent insertion when tunneling http request
 - 2021-11-16 TUN-5129: Remove `-dev` suffix when computing version and Git has uncommitted changes
 - 2021-11-18 TUN-5441: Fix message about available protocols
 - 2021-11-12 TUN-5300: Define RPC to register UDP sessions
 - 2021-11-14 TUN-5299: Send/receive QUIC datagram from edge and proxy to origin as UDP
 - 2021-11-04 TUN-5387: Updated CHANGES.md for 2021.11.0
 - 2021-11-08 TUN-5368: Log connection issues with LogLevel that depends on tunnel state
 - 2021-11-09 TUN-5397: Log cloudflared output when it fails to connect tunnel
 - 2021-11-09 TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64
 - 2021-11-08 TUN-5393: Content-length is no longer a control header for non-h2mux transports
 2021.11.0
 - 2021-11-03 TUN-5285: Fallback to HTTP2 immediately if connection times out with no network activity
 - 2021-09-29 Add flag to 'tunnel create' subcommand to specify a base64-encoded secret
 2021.10.5
 - 2021-10-25 Update change log for release 2021.10.4
 - 2021-10-25 Revert "TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown"
 2021.10.4
 - 2021-10-21 TUN-5287: Fix misuse of wait group in TestQUICServer that caused the test to exit immediately
 - 2021-10-21 TUN-5286: Upgrade crypto/ssh package to fix CVE-2020-29652
 - 2021-10-18 TUN-5262: Allow to configure max fetch size for listing queries
 - 2021-10-19 TUN-5262: Improvements to `max-fetch-size` that allow to deal with large number of tunnels in account
 - 2021-10-15 TUN-5261: Collect QUIC metrics about RTT, packets and bytes transfered and log events at tracing level
 - 2021-10-19 TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown
 2021.10.3
 - 2021-10-14 TUN-5255: Fix potential panic if Cloudflare API fails to respond to GetTunnel(id) during delete command
 - 2021-10-14 TUN-5257: Fix more cfsetup targets that were broken by recent package changes
 2021.10.2
 - 2021-10-11 TUN-5138: Switch to QUIC on auto protocol based on threshold
 - 2021-10-14 TUN-5250: Add missing packages for cfsetup to succeed in github release pkgs target
 2021.10.1
 - 2021-10-12 TUN-5246: Use protocol: quic for Quick tunnels if one is not already set
 - 2021-10-13 TUN-5249: Revert "TUN-5138: Switch to QUIC on auto protocol based on threshold"
 2021.10.0
 - 2021-10-11 TUN-5138: Switch to QUIC on auto protocol based on threshold
 - 2021-10-07 TUN-5195: Do not set empty body if not applicable
 - 2021-10-08 UN-5213: Increase MaxStreams value for QUIC transport
 - 2021-09-28 TUN-5169: Release 2021.9.2 CHANGES.md
 - 2021-09-28 TUN-5164: Update README and clean up references to Argo Tunnel (using Cloudflare Tunnel instead)
 2021.9.2
 - 2021-09-21 TUN-5129: Use go 1.17 and copy .git folder to docker build to compute version
 - 2021-09-21 TUN-5128: Enforce maximum grace period
 - 2021-09-22 TUN-5141: Make sure websocket pinger returns before streaming returns
 - 2021-09-24 TUN-5142: Add asynchronous servecontrolstream for QUIC
 - 2021-09-24 TUN-5142: defer close rpcconn inside unregister instead of ServeControlStream
 - 2021-09-27 TUN-5160: Set request.ContentLength when this value is in request header
 2021.9.1
 - 2021-09-21 TUN-5118: Quic connection now detects duplicate connections similar to http2
 - 2021-09-15 Fix TryCloudflare link
 2021.9.0
 - 2021-09-02 Fix broken TryCloudflare link
 - 2021-09-03 Add support for taking named tunnel credentials from an environment variable
--- a/build-packages-fips.sh
+++ b/build-packages-fips.sh
@ -1,26 +0,0 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 arch=("amd64")
 export TARGET_ARCH=$arch
 export TARGET_OS=linux
 export FIPS=true
 # For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails.
 export CGO_ENABLED=1
 make cloudflared-deb
 mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
 RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
 RPMARCH="x86_64"
 make cloudflared-rpm
 mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm
 # finally move the linux binary as well.
 mv ./cloudflared $ARTIFACT_DIR/cloudflared-fips-linux-$arch
--- a/build-packages.sh
+++ b/build-packages.sh
@ -1,37 +1,28 @@
-#!/bin/bash
+VERSION=$(git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*")
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
-export ARTIFACT_DIR=artifacts/
+export ARTIFACT_DIR=built_artifacts/
 mkdir -p $ARTIFACT_DIR
-
+windowsArchs=("amd64" "386")
-linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
+export TARGET_OS=windows
-export TARGET_OS=linux
+for arch in ${windowsArchs[@]}; do 
 for arch in ${linuxArchs[@]}; do
    unset TARGET_ARM
    export TARGET_ARCH=$arch
    make cloudflared-msi
    mv ./cloudflared.exe $ARTIFACT_DIR/cloudflared-windows-$arch.exe
    mv cloudflared-$VERSION-$arch.msi $ARTIFACT_DIR/cloudflared-windows-$arch.msi
 done
-    ## Support for arm platforms without hardware FPU enabled
+
-    if [[ $arch == arm ]] ; then
+export FIPS=true
-        export TARGET_ARCH=arm
+linuxArchs=("amd64" "386" "arm" "arm64")
-        export TARGET_ARM=5
+export TARGET_OS=linux
-    fi
+for arch in ${linuxArchs[@]}; do 
-    
+    export TARGET_ARCH=$arch
    ## Support for armhf builds 
    if [[ $arch == armhf ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=7 
    fi
    make cloudflared-deb
    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
-    # rpm packages invert the - and _ and use x86_64 instead of amd64.
+    # rpm packages invert the - and _ and use x86_64 instead of amd64. 
    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
    RPMARCH=$arch
    if [ $arch == "amd64" ];then
@ -46,3 +37,4 @@ for arch in ${linuxArchs[@]}; do
    # finally move the linux binary as well.
    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
 done
--- a/carrier/carrier.go
+++ b/carrier/carrier.go
@ -1,6 +1,6 @@
-// Package carrier provides a WebSocket proxy to carry or proxy a connection
+//Package carrier provides a WebSocket proxy to carry or proxy a connection
-// from the local client to the edge. See it as a wrapper around any protocol
+//from the local client to the edge. See it as a wrapper around any protocol
-// that it packages up in a WebSocket connection to the edge.
+//that it packages up in a WebSocket connection to the edge.
 package carrier
 import (
@ -54,7 +54,7 @@ func (c *StdinoutStream) Write(p []byte) (int, error) {
 	return os.Stdout.Write(p)
 }
-// Helper to allow deferring the response close with a check that the resp is not nil
+// Helper to allow defering the response close with a check that the resp is not nil
 func closeRespBody(resp *http.Response) {
 	if resp != nil {
 		_ = resp.Body.Close()
--- a/carrier/websocket.go
+++ b/carrier/websocket.go
@ -9,7 +9,6 @@ import (
 	"github.com/gorilla/websocket"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/stream"
 	"github.com/cloudflare/cloudflared/token"
 	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
 )
@ -38,7 +37,7 @@ func (ws *Websocket) ServeStream(options *StartOptions, conn io.ReadWriter) erro
 	}
 	defer wsConn.Close()
-	stream.Pipe(wsConn, conn, ws.log)
+	cfwebsocket.Stream(wsConn, conn, ws.log)
 	return nil
 }
@ -56,9 +55,6 @@ func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebso
 	}
 	dump, err := httputil.DumpRequest(req, false)
 	if err != nil {
 		return nil, err
 	}
 	log.Debug().Msgf("Websocket request: %s", string(dump))
 	dialer := &websocket.Dialer{
@ -186,9 +182,6 @@ func createAccessWebSocketStream(options *StartOptions, log *zerolog.Logger) (*w
 	}
 	dump, err := httputil.DumpRequest(req, false)
 	if err != nil {
 		return nil, nil, err
 	}
 	log.Debug().Msgf("Access Websocket request: %s", string(dump))
 	conn, resp, err := clientConnect(req, nil)
--- a/catalog-info.yaml
+++ b/catalog-info.yaml
@ -1,16 +0,0 @@
 apiVersion: backstage.io/v1alpha1
 kind: Component
 metadata:
  name: cloudflared
  description: Client for Cloudflare Tunnels
  annotations:
    backstage.io/source-location: url:https://bitbucket.cfdata.org/projects/TUN/repos/cloudflared/browse
    cloudflare.com/software-excellence-opt-in: "true"
    cloudflare.com/jira-project-key: "TUN"
    cloudflare.com/jira-project-component: "Cloudflare Tunnel"
  tags:
    - internal
 spec:
  type: "service"
  lifecycle: "Active"
  owner: "teams/tunnel-teams-routing"
--- a/certutil/certutil.go
+++ b/certutil/certutil.go
@ -0,0 +1,94 @@
 package certutil
 import (
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"strings"
 )
 type namedTunnelToken struct {
 	ZoneID     string `json:"zoneID"`
 	AccountID  string `json:"accountID"`
 	ServiceKey string `json:"serviceKey"`
 }
 type OriginCert struct {
 	PrivateKey interface{}
 	Cert       *x509.Certificate
 	ZoneID     string
 	ServiceKey string
 	AccountID  string
 }
 func DecodeOriginCert(blocks []byte) (*OriginCert, error) {
 	if len(blocks) == 0 {
 		return nil, fmt.Errorf("Cannot decode empty certificate")
 	}
 	originCert := OriginCert{}
 	block, rest := pem.Decode(blocks)
 	for {
 		if block == nil {
 			break
 		}
 		switch block.Type {
 		case "PRIVATE KEY":
 			if originCert.PrivateKey != nil {
 				return nil, fmt.Errorf("Found multiple private key in the certificate")
 			}
 			// RSA private key
 			privateKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
 			if err != nil {
 				return nil, fmt.Errorf("Cannot parse private key")
 			}
 			originCert.PrivateKey = privateKey
 		case "CERTIFICATE":
 			if originCert.Cert != nil {
 				return nil, fmt.Errorf("Found multiple certificates in the certificate")
 			}
 			cert, err := x509.ParseCertificates(block.Bytes)
 			if err != nil {
 				return nil, fmt.Errorf("Cannot parse certificate")
 			} else if len(cert) > 1 {
 				return nil, fmt.Errorf("Found multiple certificates in the certificate")
 			}
 			originCert.Cert = cert[0]
 		case "WARP TOKEN", "ARGO TUNNEL TOKEN":
 			if originCert.ZoneID != "" || originCert.ServiceKey != "" {
 				return nil, fmt.Errorf("Found multiple tokens in the certificate")
 			}
 			// The token is a string,
 			// Try the newer JSON format
 			ntt := namedTunnelToken{}
 			if err := json.Unmarshal(block.Bytes, &ntt); err == nil {
 				originCert.ZoneID = ntt.ZoneID
 				originCert.ServiceKey = ntt.ServiceKey
 				originCert.AccountID = ntt.AccountID
 			} else {
 				// Try the older format, where the zoneID and service key are seperated by
 				// a new line character
 				token := string(block.Bytes)
 				s := strings.Split(token, "\n")
 				if len(s) != 2 {
 					return nil, fmt.Errorf("Cannot parse token")
 				}
 				originCert.ZoneID = s[0]
 				originCert.ServiceKey = s[1]
 			}
 		default:
 			return nil, fmt.Errorf("Unknown block %s in the certificate", block.Type)
 		}
 		block, rest = pem.Decode(rest)
 	}
 	if originCert.PrivateKey == nil {
 		return nil, fmt.Errorf("Missing private key in the certificate")
 	} else if originCert.Cert == nil {
 		return nil, fmt.Errorf("Missing certificate in the certificate")
 	} else if originCert.ZoneID == "" || originCert.ServiceKey == "" {
 		return nil, fmt.Errorf("Missing token in the certificate")
 	}
 	return &originCert, nil
 }
--- a/certutil/certutil_test.go
+++ b/certutil/certutil_test.go
@ -0,0 +1,67 @@
 package certutil
 import (
 	"fmt"
 	"io/ioutil"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestLoadOriginCert(t *testing.T) {
 	cert, err := DecodeOriginCert([]byte{})
 	assert.Equal(t, fmt.Errorf("Cannot decode empty certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err := ioutil.ReadFile("test-cert-no-key.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Equal(t, fmt.Errorf("Missing private key in the certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err = ioutil.ReadFile("test-cert-two-certificates.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Equal(t, fmt.Errorf("Found multiple certificates in the certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err = ioutil.ReadFile("test-cert-unknown-block.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Equal(t, fmt.Errorf("Unknown block RSA PRIVATE KEY in the certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err = ioutil.ReadFile("test-cert.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Nil(t, err)
 	assert.NotNil(t, cert)
 	assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
 	key := "v1.0-58bd4f9e28f7b3c28e05a35ff3e80ab4fd9644ef3fece537eb0d12e2e9258217-183442fbb0bbdb3e571558fec9b5589ebd77aafc87498ee3f09f64a4ad79ffe8791edbae08b36c1d8f1d70a8670de56922dff92b15d214a524f4ebfa1958859e-7ce80f79921312a6022c5d25e2d380f82ceaefe3fbdc43dd13b080e3ef1e26f7"
 	assert.Equal(t, key, cert.ServiceKey)
 }
 func TestNewlineArgoTunnelToken(t *testing.T) {
 	ArgoTunnelTokenTest(t, "test-argo-tunnel-cert.pem")
 }
 func TestJSONArgoTunnelToken(t *testing.T) {
 	// The given cert's Argo Tunnel Token was generated by base64 encoding this JSON:
 	// {
 	// "zoneID": "7b0a4d77dfb881c1a3b7d61ea9443e19",
 	// "serviceKey": "test-service-key",
 	// "accountID": "abcdabcdabcdabcd1234567890abcdef"
 	// }
 	ArgoTunnelTokenTest(t, "test-argo-tunnel-cert-json.pem")
 }
 func ArgoTunnelTokenTest(t *testing.T, path string) {
 	blocks, err := ioutil.ReadFile(path)
 	assert.Nil(t, err)
 	cert, err := DecodeOriginCert(blocks)
 	assert.Nil(t, err)
 	assert.NotNil(t, cert)
 	assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
 	key := "test-service-key"
 	assert.Equal(t, key, cert.ServiceKey)
 }
--- a/certutil/test-argo-tunnel-cert-json.pem
+++ b/certutil/test-argo-tunnel-cert-json.pem
@ -0,0 +1,57 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
 1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
 z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
 6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
 x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
 1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
 IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
 xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
 sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
 2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
 sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
 Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
 AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
 m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
 QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
 P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
 pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
 G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
 6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
 LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
 OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
 W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
 M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN ARGO TUNNEL TOKEN-----
 eyJ6b25lSUQiOiAiN2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkiLCAi
 c2VydmljZUtleSI6ICJ0ZXN0LXNlcnZpY2Uta2V5IiwgImFjY291bnRJRCI6ICJh
 YmNkYWJjZGFiY2RhYmNkMTIzNDU2Nzg5MGFiY2RlZiJ9
 -----END ARGO TUNNEL TOKEN-----
--- a/certutil/test-argo-tunnel-cert.pem
+++ b/certutil/test-argo-tunnel-cert.pem
@ -0,0 +1,56 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
 1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
 z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
 6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
 x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
 1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
 IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
 xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
 sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
 2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
 sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
 Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
 AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
 m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
 QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
 P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
 pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
 G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
 6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
 LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
 OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
 W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
 M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN ARGO TUNNEL TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdGVzdC1zZXJ2aWNlLWtl
 eQ==
 -----END ARGO TUNNEL TOKEN-----
--- a/certutil/test-cert-no-key.pem
+++ b/certutil/test-cert-no-key.pem
@ -0,0 +1,33 @@
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
 NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
 -----END WARP TOKEN-----
--- a/certutil/test-cert-two-certificates.pem
+++ b/certutil/test-cert-two-certificates.pem
@ -0,0 +1,85 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
 1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
 z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
 6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
 x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
 1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
 IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
 xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
 sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
 2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
 sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
 Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
 AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
 m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
 QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
 P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
 pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
 G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
 6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
 LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
 OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
 W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
 M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
 NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
 -----END WARP TOKEN-----
--- a/credentials/test-cert-unknown-block.pem
+++ b/credentials/test-cert-unknown-block.pem
@ -50,7 +50,7 @@ cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
-----BEGIN ARGO TUNNEL TOKEN-----
+-----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
@ -58,7 +58,7 @@ NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
-----END ARGO TUNNEL TOKEN-----
+-----END WARP TOKEN-----
 -----BEGIN RSA PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
--- a/certutil/test-cert.pem
+++ b/certutil/test-cert.pem
@ -0,0 +1,61 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
 1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
 z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
 6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
 x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
 1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
 IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
 xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
 sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
 2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
 sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
 Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
 AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
 m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
 QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
 P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
 pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
 G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
 6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
 LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
 OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
 W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
 M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
 NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
 -----END WARP TOKEN-----
--- a/cfapi/base_client.go
+++ b/cfapi/base_client.go
@ -1,247 +0,0 @@
 package cfapi
 import (
 	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"golang.org/x/net/http2"
 )
 const (
 	defaultTimeout  = 15 * time.Second
 	jsonContentType = "application/json"
 )
 var (
 	ErrUnauthorized = errors.New("unauthorized")
 	ErrBadRequest   = errors.New("incorrect request parameters")
 	ErrNotFound     = errors.New("not found")
 	ErrAPINoSuccess = errors.New("API call failed")
 )
 type RESTClient struct {
 	baseEndpoints *baseEndpoints
 	authToken     string
 	userAgent     string
 	client        http.Client
 	log           *zerolog.Logger
 }
 type baseEndpoints struct {
 	accountLevel  url.URL
 	zoneLevel     url.URL
 	accountRoutes url.URL
 	accountVnets  url.URL
 }
 var _ Client = (*RESTClient)(nil)
 func NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, log *zerolog.Logger) (*RESTClient, error) {
 	if strings.HasSuffix(baseURL, "/") {
 		baseURL = baseURL[:len(baseURL)-1]
 	}
 	accountLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/cfd_tunnel", baseURL, accountTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create account level endpoint")
 	}
 	accountRoutesEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/teamnet/routes", baseURL, accountTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create route account-level endpoint")
 	}
 	accountVnetsEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/teamnet/virtual_networks", baseURL, accountTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create virtual network account-level endpoint")
 	}
 	zoneLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/zones/%s/tunnels", baseURL, zoneTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create account level endpoint")
 	}
 	httpTransport := http.Transport{
 		TLSHandshakeTimeout:   defaultTimeout,
 		ResponseHeaderTimeout: defaultTimeout,
 	}
 	http2.ConfigureTransport(&httpTransport)
 	return &RESTClient{
 		baseEndpoints: &baseEndpoints{
 			accountLevel:  *accountLevelEndpoint,
 			zoneLevel:     *zoneLevelEndpoint,
 			accountRoutes: *accountRoutesEndpoint,
 			accountVnets:  *accountVnetsEndpoint,
 		},
 		authToken: authToken,
 		userAgent: userAgent,
 		client: http.Client{
 			Transport: &httpTransport,
 			Timeout:   defaultTimeout,
 		},
 		log: log,
 	}, nil
 }
 func (r *RESTClient) sendRequest(method string, url url.URL, body interface{}) (*http.Response, error) {
 	var bodyReader io.Reader
 	if body != nil {
 		if bodyBytes, err := json.Marshal(body); err != nil {
 			return nil, errors.Wrap(err, "failed to serialize json body")
 		} else {
 			bodyReader = bytes.NewBuffer(bodyBytes)
 		}
 	}
 	req, err := http.NewRequest(method, url.String(), bodyReader)
 	if err != nil {
 		return nil, errors.Wrapf(err, "can't create %s request", method)
 	}
 	req.Header.Set("User-Agent", r.userAgent)
 	if bodyReader != nil {
 		req.Header.Set("Content-Type", jsonContentType)
 	}
 	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", r.authToken))
 	req.Header.Add("Accept", "application/json;version=1")
 	return r.client.Do(req)
 }
 func parseResponseEnvelope(reader io.Reader) (*response, error) {
 	// Schema for Tunnelstore responses in the v1 API.
 	// Roughly, it's a wrapper around a particular result that adds failures/errors/etc
 	var result response
 	// First, parse the wrapper and check the API call succeeded
 	if err := json.NewDecoder(reader).Decode(&result); err != nil {
 		return nil, errors.Wrap(err, "failed to decode response")
 	}
 	if err := result.checkErrors(); err != nil {
 		return nil, err
 	}
 	if !result.Success {
 		return nil, ErrAPINoSuccess
 	}
 	return &result, nil
 }
 func parseResponse(reader io.Reader, data interface{}) error {
 	result, err := parseResponseEnvelope(reader)
 	if err != nil {
 		return err
 	}
 	return parseResponseBody(result, data)
 }
 func parseResponseBody(result *response, data interface{}) error {
 	// At this point we know the API call succeeded, so, parse out the inner
 	// result into the datatype provided as a parameter.
 	if err := json.Unmarshal(result.Result, &data); err != nil {
 		return errors.Wrap(err, "the Cloudflare API response was an unexpected type")
 	}
 	return nil
 }
 func fetchExhaustively[T any](requestFn func(int) (*http.Response, error)) ([]*T, error) {
 	page := 0
 	var fullResponse []*T
 	for {
 		page += 1
 		envelope, parsedBody, err := fetchPage[T](requestFn, page)
 		if err != nil {
 			return nil, errors.Wrap(err, fmt.Sprintf("Error Parsing page %d", page))
 		}
 		fullResponse = append(fullResponse, parsedBody...)
 		if envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount {
 			break
 		}
 	}
 	return fullResponse, nil
 }
 func fetchPage[T any](requestFn func(int) (*http.Response, error), page int) (*response, []*T, error) {
 	pageResp, err := requestFn(page)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "REST request failed")
 	}
 	defer pageResp.Body.Close()
 	if pageResp.StatusCode == http.StatusOK {
 		envelope, err := parseResponseEnvelope(pageResp.Body)
 		if err != nil {
 			return nil, nil, err
 		}
 		var parsedRspBody []*T
 		return envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody)
 	}
 	return nil, nil, errors.New(fmt.Sprintf("Failed to fetch page. Server returned: %d", pageResp.StatusCode))
 }
 type response struct {
 	Success    bool            `json:"success,omitempty"`
 	Errors     []apiErr        `json:"errors,omitempty"`
 	Messages   []string        `json:"messages,omitempty"`
 	Result     json.RawMessage `json:"result,omitempty"`
 	Pagination Pagination      `json:"result_info,omitempty"`
 }
 type Pagination struct {
 	Count      int `json:"count,omitempty"`
 	Page       int `json:"page,omitempty"`
 	PerPage    int `json:"per_page,omitempty"`
 	TotalCount int `json:"total_count,omitempty"`
 }
 func (r *response) checkErrors() error {
 	if len(r.Errors) == 0 {
 		return nil
 	}
 	if len(r.Errors) == 1 {
 		return r.Errors[0]
 	}
 	var messages string
 	for _, e := range r.Errors {
 		messages += fmt.Sprintf("%s; ", e)
 	}
 	return fmt.Errorf("API errors: %s", messages)
 }
 type apiErr struct {
 	Code    json.Number `json:"code,omitempty"`
 	Message string      `json:"message,omitempty"`
 }
 func (e apiErr) Error() string {
 	return fmt.Sprintf("code: %v, reason: %s", e.Code, e.Message)
 }
 func (r *RESTClient) statusCodeToError(op string, resp *http.Response) error {
 	if resp.Header.Get("Content-Type") == "application/json" {
 		var errorsResp response
 		if json.NewDecoder(resp.Body).Decode(&errorsResp) == nil {
 			if err := errorsResp.checkErrors(); err != nil {
 				return errors.Errorf("Failed to %s: %s", op, err)
 			}
 		}
 	}
 	switch resp.StatusCode {
 	case http.StatusOK:
 		return nil
 	case http.StatusBadRequest:
 		return ErrBadRequest
 	case http.StatusUnauthorized, http.StatusForbidden:
 		return ErrUnauthorized
 	case http.StatusNotFound:
 		return ErrNotFound
 	}
 	return errors.Errorf("API call to %s failed with status %d: %s", op,
 		resp.StatusCode, http.StatusText(resp.StatusCode))
 }
--- a/cfapi/client.go
+++ b/cfapi/client.go
@ -1,41 +0,0 @@
 package cfapi
 import (
 	"github.com/google/uuid"
 )
 type TunnelClient interface {
 	CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error)
 	GetTunnel(tunnelID uuid.UUID) (*Tunnel, error)
 	GetTunnelToken(tunnelID uuid.UUID) (string, error)
 	GetManagementToken(tunnelID uuid.UUID) (string, error)
 	DeleteTunnel(tunnelID uuid.UUID, cascade bool) error
 	ListTunnels(filter *TunnelFilter) ([]*Tunnel, error)
 	ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)
 	CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error
 }
 type HostnameClient interface {
 	RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error)
 }
 type IPRouteClient interface {
 	ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error)
 	AddRoute(newRoute NewRoute) (Route, error)
 	DeleteRoute(id uuid.UUID) error
 	GetByIP(params GetRouteByIpParams) (DetailedRoute, error)
 }
 type VnetClient interface {
 	CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error)
 	ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error)
 	DeleteVirtualNetwork(id uuid.UUID, force bool) error
 	UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error
 }
 type Client interface {
 	TunnelClient
 	HostnameClient
 	IPRouteClient
 	VnetClient
 }
--- a/cfapi/hostname.go
+++ b/cfapi/hostname.go
@ -1,192 +0,0 @@
 package cfapi
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"path"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 type Change = string
 const (
 	ChangeNew       = "new"
 	ChangeUpdated   = "updated"
 	ChangeUnchanged = "unchanged"
 )
 // HostnameRoute represents a record type that can route to a tunnel
 type HostnameRoute interface {
 	json.Marshaler
 	RecordType() string
 	UnmarshalResult(body io.Reader) (HostnameRouteResult, error)
 	String() string
 }
 type HostnameRouteResult interface {
 	// SuccessSummary explains what will route to this tunnel when it's provisioned successfully
 	SuccessSummary() string
 }
 type DNSRoute struct {
 	userHostname      string
 	overwriteExisting bool
 }
 type DNSRouteResult struct {
 	route *DNSRoute
 	CName Change `json:"cname"`
 	Name  string `json:"name"`
 }
 func NewDNSRoute(userHostname string, overwriteExisting bool) HostnameRoute {
 	return &DNSRoute{
 		userHostname:      userHostname,
 		overwriteExisting: overwriteExisting,
 	}
 }
 func (dr *DNSRoute) MarshalJSON() ([]byte, error) {
 	s := struct {
 		Type              string `json:"type"`
 		UserHostname      string `json:"user_hostname"`
 		OverwriteExisting bool   `json:"overwrite_existing"`
 	}{
 		Type:              dr.RecordType(),
 		UserHostname:      dr.userHostname,
 		OverwriteExisting: dr.overwriteExisting,
 	}
 	return json.Marshal(&s)
 }
 func (dr *DNSRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {
 	var result DNSRouteResult
 	err := parseResponse(body, &result)
 	result.route = dr
 	return &result, err
 }
 func (dr *DNSRoute) RecordType() string {
 	return "dns"
 }
 func (dr *DNSRoute) String() string {
 	return fmt.Sprintf("%s %s", dr.RecordType(), dr.userHostname)
 }
 func (res *DNSRouteResult) SuccessSummary() string {
 	var msgFmt string
 	switch res.CName {
 	case ChangeNew:
 		msgFmt = "Added CNAME %s which will route to this tunnel"
 	case ChangeUpdated: // this is not currently returned by tunnelsore
 		msgFmt = "%s updated to route to your tunnel"
 	case ChangeUnchanged:
 		msgFmt = "%s is already configured to route to your tunnel"
 	}
 	return fmt.Sprintf(msgFmt, res.hostname())
 }
 // hostname yields the resulting name for the DNS route; if that is not available from Cloudflare API, then the
 // requested name is returned instead (should not be the common path, it is just a fall-back).
 func (res *DNSRouteResult) hostname() string {
 	if res.Name != "" {
 		return res.Name
 	}
 	return res.route.userHostname
 }
 type LBRoute struct {
 	lbName string
 	lbPool string
 }
 type LBRouteResult struct {
 	route        *LBRoute
 	LoadBalancer Change `json:"load_balancer"`
 	Pool         Change `json:"pool"`
 }
 func NewLBRoute(lbName, lbPool string) HostnameRoute {
 	return &LBRoute{
 		lbName: lbName,
 		lbPool: lbPool,
 	}
 }
 func (lr *LBRoute) MarshalJSON() ([]byte, error) {
 	s := struct {
 		Type   string `json:"type"`
 		LBName string `json:"lb_name"`
 		LBPool string `json:"lb_pool"`
 	}{
 		Type:   lr.RecordType(),
 		LBName: lr.lbName,
 		LBPool: lr.lbPool,
 	}
 	return json.Marshal(&s)
 }
 func (lr *LBRoute) RecordType() string {
 	return "lb"
 }
 func (lb *LBRoute) String() string {
 	return fmt.Sprintf("%s %s %s", lb.RecordType(), lb.lbName, lb.lbPool)
 }
 func (lr *LBRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {
 	var result LBRouteResult
 	err := parseResponse(body, &result)
 	result.route = lr
 	return &result, err
 }
 func (res *LBRouteResult) SuccessSummary() string {
 	var msg string
 	switch res.LoadBalancer + "," + res.Pool {
 	case "new,new":
 		msg = "Created load balancer %s and added a new pool %s with this tunnel as an origin"
 	case "new,updated":
 		msg = "Created load balancer %s with an existing pool %s which was updated to use this tunnel as an origin"
 	case "new,unchanged":
 		msg = "Created load balancer %s with an existing pool %s which already has this tunnel as an origin"
 	case "updated,new":
 		msg = "Added new pool %[2]s with this tunnel as an origin to load balancer %[1]s"
 	case "updated,updated":
 		msg = "Updated pool %[2]s to use this tunnel as an origin and added it to load balancer %[1]s"
 	case "updated,unchanged":
 		msg = "Added pool %[2]s, which already has this tunnel as an origin, to load balancer %[1]s"
 	case "unchanged,updated":
 		msg = "Added this tunnel as an origin in pool %[2]s which is already used by load balancer %[1]s"
 	case "unchanged,unchanged":
 		msg = "Load balancer %s already uses pool %s which has this tunnel as an origin"
 	case "unchanged,new":
 		// this state is not possible
 		fallthrough
 	default:
 		msg = "Something went wrong: failed to modify load balancer %s with pool %s; please check traffic manager configuration in the dashboard"
 	}
 	return fmt.Sprintf(msg, res.route.lbName, res.route.lbPool)
 }
 func (r *RESTClient) RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error) {
 	endpoint := r.baseEndpoints.zoneLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/routes", tunnelID))
 	resp, err := r.sendRequest("PUT", endpoint, route)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return route.UnmarshalResult(resp.Body)
 	}
 	return nil, r.statusCodeToError("add route", resp)
 }
--- a/cfapi/hostname_test.go
+++ b/cfapi/hostname_test.go
@ -1,99 +0,0 @@
 package cfapi
 import (
 	"strings"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestDNSRouteUnmarshalResult(t *testing.T) {
 	route := &DNSRoute{
 		userHostname: "example.com",
 	}
 	result, err := route.UnmarshalResult(strings.NewReader(`{"success": true, "result": {"cname": "new"}}`))
 	assert.NoError(t, err)
 	assert.Equal(t, &DNSRouteResult{
 		route: route,
 		CName: ChangeNew,
 	}, result)
 	badJSON := []string{
 		`abc`,
 		`{"success": false, "result": {"cname": "new"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"cname": "new"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}, {"code": 1004, "message":"Cannot use tunnel as origin for non-proxied load balancer"}], "result": {"cname": "new"}}`,
 		`{"result": {"cname": "new"}}`,
 		`{"result": {"cname": "new"}}`,
 	}
 	for _, j := range badJSON {
 		_, err = route.UnmarshalResult(strings.NewReader(j))
 		assert.NotNil(t, err)
 	}
 }
 func TestLBRouteUnmarshalResult(t *testing.T) {
 	route := &LBRoute{
 		lbName: "lb.example.com",
 		lbPool: "pool",
 	}
 	result, err := route.UnmarshalResult(strings.NewReader(`{"success": true, "result": {"pool": "unchanged", "load_balancer": "updated"}}`))
 	assert.NoError(t, err)
 	assert.Equal(t, &LBRouteResult{
 		route:        route,
 		LoadBalancer: ChangeUpdated,
 		Pool:         ChangeUnchanged,
 	}, result)
 	badJSON := []string{
 		`abc`,
 		`{"success": false, "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}, {"code": 1004, "message":"Cannot use tunnel as origin for non-proxied load balancer"}], "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 		`{"result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 	}
 	for _, j := range badJSON {
 		_, err = route.UnmarshalResult(strings.NewReader(j))
 		assert.NotNil(t, err)
 	}
 }
 func TestLBRouteResultSuccessSummary(t *testing.T) {
 	route := &LBRoute{
 		lbName: "lb.example.com",
 		lbPool: "POOL",
 	}
 	tests := []struct {
 		lb       Change
 		pool     Change
 		expected string
 	}{
 		{ChangeNew, ChangeNew, "Created load balancer lb.example.com and added a new pool POOL with this tunnel as an origin"},
 		{ChangeNew, ChangeUpdated, "Created load balancer lb.example.com with an existing pool POOL which was updated to use this tunnel as an origin"},
 		{ChangeNew, ChangeUnchanged, "Created load balancer lb.example.com with an existing pool POOL which already has this tunnel as an origin"},
 		{ChangeUpdated, ChangeNew, "Added new pool POOL with this tunnel as an origin to load balancer lb.example.com"},
 		{ChangeUpdated, ChangeUpdated, "Updated pool POOL to use this tunnel as an origin and added it to load balancer lb.example.com"},
 		{ChangeUpdated, ChangeUnchanged, "Added pool POOL, which already has this tunnel as an origin, to load balancer lb.example.com"},
 		{ChangeUnchanged, ChangeNew, "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
 		{ChangeUnchanged, ChangeUpdated, "Added this tunnel as an origin in pool POOL which is already used by load balancer lb.example.com"},
 		{ChangeUnchanged, ChangeUnchanged, "Load balancer lb.example.com already uses pool POOL which has this tunnel as an origin"},
 		{"", "", "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
 		{"a", "b", "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
 	}
 	for i, tt := range tests {
 		res := &LBRouteResult{
 			route:        route,
 			LoadBalancer: tt.lb,
 			Pool:         tt.pool,
 		}
 		actual := res.SuccessSummary()
 		assert.Equal(t, tt.expected, actual, "case %d", i+1)
 	}
 }
--- a/cfapi/ip_route.go
+++ b/cfapi/ip_route.go
@ -1,235 +0,0 @@
 package cfapi
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"path"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 // Route is a mapping from customer's IP space to a tunnel.
 // Each route allows the customer to route eyeballs in their corporate network
 // to certain private IP ranges. Each Route represents an IP range in their
 // network, and says that eyeballs can reach that route using the corresponding
 // tunnel.
 type Route struct {
 	Network  CIDR      `json:"network"`
 	TunnelID uuid.UUID `json:"tunnel_id"`
 	// Optional field. When unset, it means the Route belongs to the default virtual network.
 	VNetID    *uuid.UUID `json:"virtual_network_id,omitempty"`
 	Comment   string     `json:"comment"`
 	CreatedAt time.Time  `json:"created_at"`
 	DeletedAt time.Time  `json:"deleted_at"`
 }
 // CIDR is just a newtype wrapper around net.IPNet. It adds JSON unmarshalling.
 type CIDR net.IPNet
 func (c CIDR) String() string {
 	n := net.IPNet(c)
 	return n.String()
 }
 func (c CIDR) MarshalJSON() ([]byte, error) {
 	str := c.String()
 	json, err := json.Marshal(str)
 	if err != nil {
 		return nil, errors.Wrap(err, "error serializing CIDR into JSON")
 	}
 	return json, nil
 }
 // UnmarshalJSON parses a JSON string into net.IPNet
 func (c *CIDR) UnmarshalJSON(data []byte) error {
 	var s string
 	if err := json.Unmarshal(data, &s); err != nil {
 		return errors.Wrap(err, "error parsing cidr string")
 	}
 	_, network, err := net.ParseCIDR(s)
 	if err != nil {
 		return errors.Wrap(err, "error parsing invalid network from backend")
 	}
 	if network == nil {
 		return fmt.Errorf("backend returned invalid network %s", s)
 	}
 	*c = CIDR(*network)
 	return nil
 }
 // NewRoute has all the parameters necessary to add a new route to the table.
 type NewRoute struct {
 	Network  net.IPNet
 	TunnelID uuid.UUID
 	Comment  string
 	// Optional field. If unset, backend will assume the default vnet for the account.
 	VNetID *uuid.UUID
 }
 // MarshalJSON handles fields with non-JSON types (e.g. net.IPNet).
 func (r NewRoute) MarshalJSON() ([]byte, error) {
 	return json.Marshal(&struct {
 		Network  string     `json:"network"`
 		TunnelID uuid.UUID  `json:"tunnel_id"`
 		Comment  string     `json:"comment"`
 		VNetID   *uuid.UUID `json:"virtual_network_id,omitempty"`
 	}{
 		Network:  r.Network.String(),
 		TunnelID: r.TunnelID,
 		Comment:  r.Comment,
 		VNetID:   r.VNetID,
 	})
 }
 // DetailedRoute is just a Route with some extra fields, e.g. TunnelName.
 type DetailedRoute struct {
 	ID       uuid.UUID `json:"id"`
 	Network  CIDR      `json:"network"`
 	TunnelID uuid.UUID `json:"tunnel_id"`
 	// Optional field. When unset, it means the DetailedRoute belongs to the default virtual network.
 	VNetID     *uuid.UUID `json:"virtual_network_id,omitempty"`
 	Comment    string     `json:"comment"`
 	CreatedAt  time.Time  `json:"created_at"`
 	DeletedAt  time.Time  `json:"deleted_at"`
 	TunnelName string     `json:"tunnel_name"`
 }
 // IsZero checks if DetailedRoute is the zero value.
 func (r *DetailedRoute) IsZero() bool {
 	return r.TunnelID == uuid.Nil
 }
 // TableString outputs a table row summarizing the route, to be used
 // when showing the user their routing table.
 func (r DetailedRoute) TableString() string {
 	deletedColumn := "-"
 	if !r.DeletedAt.IsZero() {
 		deletedColumn = r.DeletedAt.Format(time.RFC3339)
 	}
 	vnetColumn := "default"
 	if r.VNetID != nil {
 		vnetColumn = r.VNetID.String()
 	}
 	return fmt.Sprintf(
 		"%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t",
 		r.ID,
 		r.Network.String(),
 		vnetColumn,
 		r.Comment,
 		r.TunnelID,
 		r.TunnelName,
 		r.CreatedAt.Format(time.RFC3339),
 		deletedColumn,
 	)
 }
 type GetRouteByIpParams struct {
 	Ip net.IP
 	// Optional field. If unset, backend will assume the default vnet for the account.
 	VNetID *uuid.UUID
 }
 // ListRoutes calls the Tunnelstore GET endpoint for all routes under an account.
 // Due to pagination on the server side it will call the endpoint multiple times if needed.
 func (r *RESTClient) ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error) {
 	fetchFn := func(page int) (*http.Response, error) {
 		endpoint := r.baseEndpoints.accountRoutes
 		filter.Page(page)
 		endpoint.RawQuery = filter.Encode()
 		rsp, err := r.sendRequest("GET", endpoint, nil)
 		if err != nil {
 			return nil, errors.Wrap(err, "REST request failed")
 		}
 		if rsp.StatusCode != http.StatusOK {
 			rsp.Body.Close()
 			return nil, r.statusCodeToError("list routes", rsp)
 		}
 		return rsp, nil
 	}
 	return fetchExhaustively[DetailedRoute](fetchFn)
 }
 // AddRoute calls the Tunnelstore POST endpoint for a given route.
 func (r *RESTClient) AddRoute(newRoute NewRoute) (Route, error) {
 	endpoint := r.baseEndpoints.accountRoutes
 	endpoint.Path = path.Join(endpoint.Path)
 	resp, err := r.sendRequest("POST", endpoint, newRoute)
 	if err != nil {
 		return Route{}, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseRoute(resp.Body)
 	}
 	return Route{}, r.statusCodeToError("add route", resp)
 }
 // DeleteRoute calls the Tunnelstore DELETE endpoint for a given route.
 func (r *RESTClient) DeleteRoute(id uuid.UUID) error {
 	endpoint := r.baseEndpoints.accountRoutes
 	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		_, err := parseRoute(resp.Body)
 		return err
 	}
 	return r.statusCodeToError("delete route", resp)
 }
 // GetByIP checks which route will proxy a given IP.
 func (r *RESTClient) GetByIP(params GetRouteByIpParams) (DetailedRoute, error) {
 	endpoint := r.baseEndpoints.accountRoutes
 	endpoint.Path = path.Join(endpoint.Path, "ip", url.PathEscape(params.Ip.String()))
 	setVnetParam(&endpoint, params.VNetID)
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return DetailedRoute{}, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseDetailedRoute(resp.Body)
 	}
 	return DetailedRoute{}, r.statusCodeToError("get route by IP", resp)
 }
 func parseRoute(body io.ReadCloser) (Route, error) {
 	var route Route
 	err := parseResponse(body, &route)
 	return route, err
 }
 func parseDetailedRoute(body io.ReadCloser) (DetailedRoute, error) {
 	var route DetailedRoute
 	err := parseResponse(body, &route)
 	return route, err
 }
 // setVnetParam overwrites the URL's query parameters with a query param to scope the HostnameRoute action to a certain
 // virtual network (if one is provided).
 func setVnetParam(endpoint *url.URL, vnetID *uuid.UUID) {
 	queryParams := url.Values{}
 	if vnetID != nil {
 		queryParams.Set("virtual_network_id", vnetID.String())
 	}
 	endpoint.RawQuery = queryParams.Encode()
 }
--- a/cfapi/ip_route_filter.go
+++ b/cfapi/ip_route_filter.go
@ -1,176 +0,0 @@
 package cfapi
 import (
 	"fmt"
 	"net"
 	"net/url"
 	"strconv"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )
 var (
 	filterIpRouteDeleted = cli.BoolFlag{
 		Name:  "filter-is-deleted",
 		Usage: "If false (default), only show non-deleted routes. If true, only show deleted routes.",
 	}
 	filterIpRouteTunnelID = cli.StringFlag{
 		Name:  "filter-tunnel-id",
 		Usage: "Show only routes with the given tunnel ID.",
 	}
 	filterSubsetIpRoute = cli.StringFlag{
 		Name:    "filter-network-is-subset-of",
 		Aliases: []string{"nsub"},
 		Usage:   "Show only routes whose network is a subset of the given network.",
 	}
 	filterSupersetIpRoute = cli.StringFlag{
 		Name:    "filter-network-is-superset-of",
 		Aliases: []string{"nsup"},
 		Usage:   "Show only routes whose network is a superset of the given network.",
 	}
 	filterIpRouteComment = cli.StringFlag{
 		Name:  "filter-comment-is",
 		Usage: "Show only routes with this comment.",
 	}
 	filterIpRouteByVnet = cli.StringFlag{
 		Name:  "filter-vnet-id",
 		Usage: "Show only routes that are attached to the given virtual network ID.",
 	}
 	// Flags contains all filter flags.
 	IpRouteFilterFlags = []cli.Flag{
 		&filterIpRouteDeleted,
 		&filterIpRouteTunnelID,
 		&filterSubsetIpRoute,
 		&filterSupersetIpRoute,
 		&filterIpRouteComment,
 		&filterIpRouteByVnet,
 	}
 )
 // IpRouteFilter which routes get queried.
 type IpRouteFilter struct {
 	queryParams url.Values
 }
 // NewIpRouteFilterFromCLI parses CLI flags to discover which filters should get applied.
 func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
 	f := NewIPRouteFilter()
 	// Set deletion filter
 	if flag := filterIpRouteDeleted.Name; c.IsSet(flag) && c.Bool(flag) {
 		f.Deleted()
 	} else {
 		f.NotDeleted()
 	}
 	if subset, err := cidrFromFlag(c, filterSubsetIpRoute); err != nil {
 		return nil, err
 	} else if subset != nil {
 		f.NetworkIsSupersetOf(*subset)
 	}
 	if superset, err := cidrFromFlag(c, filterSupersetIpRoute); err != nil {
 		return nil, err
 	} else if superset != nil {
 		f.NetworkIsSupersetOf(*superset)
 	}
 	if comment := c.String(filterIpRouteComment.Name); comment != "" {
 		f.CommentIs(comment)
 	}
 	if tunnelID := c.String(filterIpRouteTunnelID.Name); tunnelID != "" {
 		u, err := uuid.Parse(tunnelID)
 		if err != nil {
 			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteTunnelID.Name)
 		}
 		f.TunnelID(u)
 	}
 	if vnetId := c.String(filterIpRouteByVnet.Name); vnetId != "" {
 		u, err := uuid.Parse(vnetId)
 		if err != nil {
 			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteByVnet.Name)
 		}
 		f.VNetID(u)
 	}
 	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
 		f.MaxFetchSize(uint(maxFetch))
 	}
 	return f, nil
 }
 // Parses a CIDR from the flag. If the flag was unset, returns (nil, nil).
 func cidrFromFlag(c *cli.Context, flag cli.StringFlag) (*net.IPNet, error) {
 	if !c.IsSet(flag.Name) {
 		return nil, nil
 	}
 	_, subset, err := net.ParseCIDR(c.String(flag.Name))
 	if err != nil {
 		return nil, err
 	} else if subset == nil {
 		return nil, fmt.Errorf("Invalid CIDR supplied for %s", flag.Name)
 	}
 	return subset, nil
 }
 func NewIPRouteFilter() *IpRouteFilter {
 	values := &IpRouteFilter{queryParams: url.Values{}}
 	// always list cfd_tunnel routes only
 	values.queryParams.Set("tun_types", "cfd_tunnel")
 	return values
 }
 func (f *IpRouteFilter) CommentIs(comment string) {
 	f.queryParams.Set("comment", comment)
 }
 func (f *IpRouteFilter) NotDeleted() {
 	f.queryParams.Set("is_deleted", "false")
 }
 func (f *IpRouteFilter) Deleted() {
 	f.queryParams.Set("is_deleted", "true")
 }
 func (f *IpRouteFilter) NetworkIsSubsetOf(superset net.IPNet) {
 	f.queryParams.Set("network_subset", superset.String())
 }
 func (f *IpRouteFilter) NetworkIsSupersetOf(subset net.IPNet) {
 	f.queryParams.Set("network_superset", subset.String())
 }
 func (f *IpRouteFilter) ExistedAt(existedAt time.Time) {
 	f.queryParams.Set("existed_at", existedAt.Format(time.RFC3339))
 }
 func (f *IpRouteFilter) TunnelID(id uuid.UUID) {
 	f.queryParams.Set("tunnel_id", id.String())
 }
 func (f *IpRouteFilter) VNetID(id uuid.UUID) {
 	f.queryParams.Set("virtual_network_id", id.String())
 }
 func (f *IpRouteFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f *IpRouteFilter) Page(page int) {
 	f.queryParams.Set("page", strconv.Itoa(page))
 }
 func (f IpRouteFilter) Encode() string {
 	return f.queryParams.Encode()
 }
--- a/cfapi/ip_route_test.go
+++ b/cfapi/ip_route_test.go
@ -1,178 +0,0 @@
 package cfapi
 import (
 	"encoding/json"
 	"fmt"
 	"net"
 	"strings"
 	"testing"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 )
 func TestUnmarshalRoute(t *testing.T) {
 	testCases := []struct {
 		Json    string
 		HasVnet bool
 	}{
 		{
 			`{
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":null
 			}`,
 			false,
 		},
 		{
 			`{
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":null,
 				"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9"
 			}`,
 			true,
 		},
 	}
 	for _, testCase := range testCases {
 		data := testCase.Json
 		var r Route
 		err := json.Unmarshal([]byte(data), &r)
 		// Check everything worked
 		require.NoError(t, err)
 		require.Equal(t, uuid.MustParse("fba6ffea-807f-4e7a-a740-4184ee1b82c8"), r.TunnelID)
 		require.Equal(t, "test", r.Comment)
 		_, cidr, err := net.ParseCIDR("10.1.2.40/29")
 		require.NoError(t, err)
 		require.Equal(t, CIDR(*cidr), r.Network)
 		require.Equal(t, "test", r.Comment)
 		if testCase.HasVnet {
 			require.Equal(t, uuid.MustParse("38c95083-8191-4110-8339-3f438d44fdb9"), *r.VNetID)
 		} else {
 			require.Nil(t, r.VNetID)
 		}
 	}
 }
 func TestDetailedRouteJsonRoundtrip(t *testing.T) {
 	testCases := []struct {
 		Json    string
 		HasVnet bool
 	}{
 		{
 			`{
 				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":"2021-01-14T05:01:42.183002Z",
 				"tunnel_name":"Mr. Tun"
 			}`,
 			false,
 		},
 		{
 			`{
 				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":"2021-01-14T05:01:42.183002Z",
 				"tunnel_name":"Mr. Tun"
 			}`,
 			true,
 		},
 	}
 	for _, testCase := range testCases {
 		data := testCase.Json
 		var r DetailedRoute
 		err := json.Unmarshal([]byte(data), &r)
 		// Check everything worked
 		require.NoError(t, err)
 		require.Equal(t, uuid.MustParse("fba6ffea-807f-4e7a-a740-4184ee1b82c8"), r.TunnelID)
 		require.Equal(t, "test", r.Comment)
 		_, cidr, err := net.ParseCIDR("10.1.2.40/29")
 		require.NoError(t, err)
 		require.Equal(t, CIDR(*cidr), r.Network)
 		require.Equal(t, "test", r.Comment)
 		require.Equal(t, "Mr. Tun", r.TunnelName)
 		if testCase.HasVnet {
 			require.Equal(t, uuid.MustParse("38c95083-8191-4110-8339-3f438d44fdb9"), *r.VNetID)
 		} else {
 			require.Nil(t, r.VNetID)
 		}
 		bytes, err := json.Marshal(r)
 		require.NoError(t, err)
 		obtainedJson := string(bytes)
 		data = strings.Replace(data, "\t", "", -1)
 		data = strings.Replace(data, "\n", "", -1)
 		require.Equal(t, data, obtainedJson)
 	}
 }
 func TestMarshalNewRoute(t *testing.T) {
 	_, network, err := net.ParseCIDR("1.2.3.4/32")
 	require.NoError(t, err)
 	require.NotNil(t, network)
 	vnetId := uuid.New()
 	newRoutes := []NewRoute{
 		{
 			Network:  *network,
 			TunnelID: uuid.New(),
 			Comment:  "hi",
 		},
 		{
 			Network:  *network,
 			TunnelID: uuid.New(),
 			Comment:  "hi",
 			VNetID:   &vnetId,
 		},
 	}
 	for _, newRoute := range newRoutes {
 		// Test where receiver is struct
 		serialized, err := json.Marshal(newRoute)
 		require.NoError(t, err)
 		require.True(t, strings.Contains(string(serialized), "tunnel_id"))
 		// Test where receiver is pointer to struct
 		serialized, err = json.Marshal(&newRoute)
 		require.NoError(t, err)
 		require.True(t, strings.Contains(string(serialized), "tunnel_id"))
 		if newRoute.VNetID == nil {
 			require.False(t, strings.Contains(string(serialized), "virtual_network_id"))
 		} else {
 			require.True(t, strings.Contains(string(serialized), "virtual_network_id"))
 		}
 	}
 }
 func TestRouteTableString(t *testing.T) {
 	_, network, err := net.ParseCIDR("1.2.3.4/32")
 	require.NoError(t, err)
 	require.NotNil(t, network)
 	r := DetailedRoute{
 		ID:      uuid.Nil,
 		Network: CIDR(*network),
 	}
 	row := r.TableString()
 	fmt.Println(row)
 	require.True(t, strings.HasPrefix(row, "00000000-0000-0000-0000-000000000000\t1.2.3.4/32"))
 }
--- a/cfapi/tunnel.go
+++ b/cfapi/tunnel.go
@ -1,237 +0,0 @@
 package cfapi
 import (
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"path"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 var ErrTunnelNameConflict = errors.New("tunnel with name already exists")
 type Tunnel struct {
 	ID          uuid.UUID    `json:"id"`
 	Name        string       `json:"name"`
 	CreatedAt   time.Time    `json:"created_at"`
 	DeletedAt   time.Time    `json:"deleted_at"`
 	Connections []Connection `json:"connections"`
 }
 type TunnelWithToken struct {
 	Tunnel
 	Token string `json:"token"`
 }
 type Connection struct {
 	ColoName           string    `json:"colo_name"`
 	ID                 uuid.UUID `json:"id"`
 	IsPendingReconnect bool      `json:"is_pending_reconnect"`
 	OriginIP           net.IP    `json:"origin_ip"`
 	OpenedAt           time.Time `json:"opened_at"`
 }
 type ActiveClient struct {
 	ID          uuid.UUID    `json:"id"`
 	Features    []string     `json:"features"`
 	Version     string       `json:"version"`
 	Arch        string       `json:"arch"`
 	RunAt       time.Time    `json:"run_at"`
 	Connections []Connection `json:"conns"`
 }
 type newTunnel struct {
 	Name         string `json:"name"`
 	TunnelSecret []byte `json:"tunnel_secret"`
 }
 type managementRequest struct {
 	Resources []string `json:"resources"`
 }
 type CleanupParams struct {
 	queryParams url.Values
 }
 func NewCleanupParams() *CleanupParams {
 	return &CleanupParams{
 		queryParams: url.Values{},
 	}
 }
 func (cp *CleanupParams) ForClient(clientID uuid.UUID) {
 	cp.queryParams.Set("client_id", clientID.String())
 }
 func (cp CleanupParams) encode() string {
 	return cp.queryParams.Encode()
 }
 func (r *RESTClient) CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error) {
 	if name == "" {
 		return nil, errors.New("tunnel name required")
 	}
 	if _, err := uuid.Parse(name); err == nil {
 		return nil, errors.New("you cannot use UUIDs as tunnel names")
 	}
 	body := &newTunnel{
 		Name:         name,
 		TunnelSecret: tunnelSecret,
 	}
 	resp, err := r.sendRequest("POST", r.baseEndpoints.accountLevel, body)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	switch resp.StatusCode {
 	case http.StatusOK:
 		var tunnel TunnelWithToken
 		if serdeErr := parseResponse(resp.Body, &tunnel); serdeErr != nil {
 			return nil, serdeErr
 		}
 		return &tunnel, nil
 	case http.StatusConflict:
 		return nil, ErrTunnelNameConflict
 	}
 	return nil, r.statusCodeToError("create tunnel", resp)
 }
 func (r *RESTClient) GetTunnel(tunnelID uuid.UUID) (*Tunnel, error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return unmarshalTunnel(resp.Body)
 	}
 	return nil, r.statusCodeToError("get tunnel", resp)
 }
 func (r *RESTClient) GetTunnelToken(tunnelID uuid.UUID) (token string, err error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/token", tunnelID))
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return "", errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		err = parseResponse(resp.Body, &token)
 		return token, err
 	}
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
 func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID) (token string, err error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/management", tunnelID))
 	body := &managementRequest{
 		Resources: []string{"logs"},
 	}
 	resp, err := r.sendRequest("POST", endpoint, body)
 	if err != nil {
 		return "", errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		err = parseResponse(resp.Body, &token)
 		return token, err
 	}
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
 func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
 	// Cascade will delete all tunnel dependencies (connections, routes, etc.) that
 	// are linked to the deleted tunnel.
 	if cascade {
 		endpoint.RawQuery = "cascade=true"
 	}
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	return r.statusCodeToError("delete tunnel", resp)
 }
 func (r *RESTClient) ListTunnels(filter *TunnelFilter) ([]*Tunnel, error) {
 	fetchFn := func(page int) (*http.Response, error) {
 		endpoint := r.baseEndpoints.accountLevel
 		filter.Page(page)
 		endpoint.RawQuery = filter.encode()
 		rsp, err := r.sendRequest("GET", endpoint, nil)
 		if err != nil {
 			return nil, errors.Wrap(err, "REST request failed")
 		}
 		if rsp.StatusCode != http.StatusOK {
 			rsp.Body.Close()
 			return nil, r.statusCodeToError("list tunnels", rsp)
 		}
 		return rsp, nil
 	}
 	return fetchExhaustively[Tunnel](fetchFn)
 }
 func (r *RESTClient) ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseConnectionsDetails(resp.Body)
 	}
 	return nil, r.statusCodeToError("list connection details", resp)
 }
 func parseConnectionsDetails(reader io.Reader) ([]*ActiveClient, error) {
 	var clients []*ActiveClient
 	err := parseResponse(reader, &clients)
 	return clients, err
 }
 func (r *RESTClient) CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.RawQuery = params.encode()
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	return r.statusCodeToError("cleanup connections", resp)
 }
 func unmarshalTunnel(reader io.Reader) (*Tunnel, error) {
 	var tunnel Tunnel
 	err := parseResponse(reader, &tunnel)
 	return &tunnel, err
 }
--- a/cfapi/tunnel_filter.go
+++ b/cfapi/tunnel_filter.go
@ -1,59 +0,0 @@
 package cfapi
 import (
 	"net/url"
 	"strconv"
 	"time"
 	"github.com/google/uuid"
 )
 const (
 	TimeLayout = time.RFC3339
 )
 type TunnelFilter struct {
 	queryParams url.Values
 }
 func NewTunnelFilter() *TunnelFilter {
 	return &TunnelFilter{
 		queryParams: url.Values{},
 	}
 }
 func (f *TunnelFilter) ByName(name string) {
 	f.queryParams.Set("name", name)
 }
 func (f *TunnelFilter) ByNamePrefix(namePrefix string) {
 	f.queryParams.Set("name_prefix", namePrefix)
 }
 func (f *TunnelFilter) ExcludeNameWithPrefix(excludePrefix string) {
 	f.queryParams.Set("exclude_prefix", excludePrefix)
 }
 func (f *TunnelFilter) NoDeleted() {
 	f.queryParams.Set("is_deleted", "false")
 }
 func (f *TunnelFilter) ByExistedAt(existedAt time.Time) {
 	f.queryParams.Set("existed_at", existedAt.Format(TimeLayout))
 }
 func (f *TunnelFilter) ByTunnelID(tunnelID uuid.UUID) {
 	f.queryParams.Set("uuid", tunnelID.String())
 }
 func (f *TunnelFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f *TunnelFilter) Page(page int) {
 	f.queryParams.Set("page", strconv.Itoa(page))
 }
 func (f TunnelFilter) encode() string {
 	return f.queryParams.Encode()
 }
--- a/cfapi/tunnel_test.go
+++ b/cfapi/tunnel_test.go
@ -1,102 +0,0 @@
 package cfapi
 import (
 	"bytes"
 	"fmt"
 	"net"
 	"reflect"
 	"strings"
 	"testing"
 	"time"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 var loc, _ = time.LoadLocation("UTC")
 func Test_unmarshalTunnel(t *testing.T) {
 	type args struct {
 		body string
 	}
 	tests := []struct {
 		name    string
 		args    args
 		want    *Tunnel
 		wantErr bool
 	}{
 		{
 			name: "empty list",
 			args: args{body: `{"success": true, "result": {"id":"b34cc7ce-925b-46ee-bc23-4cb5c18d8292","created_at":"2021-07-29T13:46:14.090955Z","deleted_at":"2021-07-29T14:07:27.559047Z","name":"qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV","account_id":6946212,"account_tag":"5ab4e9dfbd435d24068829fda0077963","conns_active_at":null,"conns_inactive_at":"2021-07-29T13:47:22.548482Z","tun_type":"cfd_tunnel","metadata":{"qtid":"a6fJROgkXutNruBGaJjD"}}}`},
 			want: &Tunnel{
 				ID:          uuid.MustParse("b34cc7ce-925b-46ee-bc23-4cb5c18d8292"),
 				Name:        "qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV",
 				CreatedAt:   time.Date(2021, 07, 29, 13, 46, 14, 90955000, loc),
 				DeletedAt:   time.Date(2021, 07, 29, 14, 7, 27, 559047000, loc),
 				Connections: nil,
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := unmarshalTunnel(strings.NewReader(tt.args.body))
 			if (err != nil) != tt.wantErr {
 				t.Errorf("unmarshalTunnel() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("unmarshalTunnel() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 func TestUnmarshalTunnelOk(t *testing.T) {
 	jsonBody := `{"success": true, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}`
 	expected := Tunnel{
 		ID:          uuid.Nil,
 		Name:        "test",
 		CreatedAt:   time.Time{},
 		Connections: []Connection{},
 	}
 	actual, err := unmarshalTunnel(bytes.NewReader([]byte(jsonBody)))
 	assert.NoError(t, err)
 	assert.Equal(t, &expected, actual)
 }
 func TestUnmarshalTunnelErr(t *testing.T) {
 	tests := []string{
 		`abc`,
 		`{"success": true, "result": abc}`,
 		`{"success": false, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
 	}
 	for i, test := range tests {
 		_, err := unmarshalTunnel(bytes.NewReader([]byte(test)))
 		assert.Error(t, err, fmt.Sprintf("Test #%v failed", i))
 	}
 }
 func TestUnmarshalConnections(t *testing.T) {
 	jsonBody := `{"success":true,"messages":[],"errors":[],"result":[{"id":"d4041254-91e3-4deb-bd94-b46e11680b1e","features":["ha-origin"],"version":"2021.2.5","arch":"darwin_amd64","conns":[{"colo_name":"LIS","id":"ac2286e5-c708-4588-a6a0-ba6b51940019","is_pending_reconnect":false,"origin_ip":"148.38.28.2","opened_at":"0001-01-01T00:00:00Z"}],"run_at":"0001-01-01T00:00:00Z"}]}`
 	expected := ActiveClient{
 		ID:       uuid.MustParse("d4041254-91e3-4deb-bd94-b46e11680b1e"),
 		Features: []string{"ha-origin"},
 		Version:  "2021.2.5",
 		Arch:     "darwin_amd64",
 		RunAt:    time.Time{},
 		Connections: []Connection{{
 			ID:                 uuid.MustParse("ac2286e5-c708-4588-a6a0-ba6b51940019"),
 			ColoName:           "LIS",
 			IsPendingReconnect: false,
 			OriginIP:           net.ParseIP("148.38.28.2"),
 			OpenedAt:           time.Time{},
 		}},
 	}
 	actual, err := parseConnectionsDetails(bytes.NewReader([]byte(jsonBody)))
 	assert.NoError(t, err)
 	assert.Equal(t, []*ActiveClient{&expected}, actual)
 }
--- a/cfapi/virtual_network.go
+++ b/cfapi/virtual_network.go
@ -1,134 +0,0 @@
 package cfapi
 import (
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"path"
 	"strconv"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 type NewVirtualNetwork struct {
 	Name      string `json:"name"`
 	Comment   string `json:"comment"`
 	IsDefault bool   `json:"is_default"`
 }
 type VirtualNetwork struct {
 	ID        uuid.UUID `json:"id"`
 	Comment   string    `json:"comment"`
 	Name      string    `json:"name"`
 	IsDefault bool      `json:"is_default_network"`
 	CreatedAt time.Time `json:"created_at"`
 	DeletedAt time.Time `json:"deleted_at"`
 }
 type UpdateVirtualNetwork struct {
 	Name      *string `json:"name,omitempty"`
 	Comment   *string `json:"comment,omitempty"`
 	IsDefault *bool   `json:"is_default_network,omitempty"`
 }
 func (virtualNetwork VirtualNetwork) TableString() string {
 	deletedColumn := "-"
 	if !virtualNetwork.DeletedAt.IsZero() {
 		deletedColumn = virtualNetwork.DeletedAt.Format(time.RFC3339)
 	}
 	return fmt.Sprintf(
 		"%s\t%s\t%s\t%s\t%s\t%s\t",
 		virtualNetwork.ID,
 		virtualNetwork.Name,
 		strconv.FormatBool(virtualNetwork.IsDefault),
 		virtualNetwork.Comment,
 		virtualNetwork.CreatedAt.Format(time.RFC3339),
 		deletedColumn,
 	)
 }
 func (r *RESTClient) CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error) {
 	resp, err := r.sendRequest("POST", r.baseEndpoints.accountVnets, newVnet)
 	if err != nil {
 		return VirtualNetwork{}, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseVnet(resp.Body)
 	}
 	return VirtualNetwork{}, r.statusCodeToError("add virtual network", resp)
 }
 func (r *RESTClient) ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error) {
 	endpoint := r.baseEndpoints.accountVnets
 	endpoint.RawQuery = filter.Encode()
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseListVnets(resp.Body)
 	}
 	return nil, r.statusCodeToError("list virtual networks", resp)
 }
 func (r *RESTClient) DeleteVirtualNetwork(id uuid.UUID, force bool) error {
 	endpoint := r.baseEndpoints.accountVnets
 	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	queryParams := url.Values{}
 	if force {
 		queryParams.Set("force", strconv.FormatBool(force))
 	}
 	endpoint.RawQuery = queryParams.Encode()
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		_, err := parseVnet(resp.Body)
 		return err
 	}
 	return r.statusCodeToError("delete virtual network", resp)
 }
 func (r *RESTClient) UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error {
 	endpoint := r.baseEndpoints.accountVnets
 	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	resp, err := r.sendRequest("PATCH", endpoint, updates)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		_, err := parseVnet(resp.Body)
 		return err
 	}
 	return r.statusCodeToError("update virtual network", resp)
 }
 func parseListVnets(body io.ReadCloser) ([]*VirtualNetwork, error) {
 	var vnets []*VirtualNetwork
 	err := parseResponse(body, &vnets)
 	return vnets, err
 }
 func parseVnet(body io.ReadCloser) (VirtualNetwork, error) {
 	var vnet VirtualNetwork
 	err := parseResponse(body, &vnet)
 	return vnet, err
 }
--- a/cfapi/virtual_network_filter.go
+++ b/cfapi/virtual_network_filter.go
@ -1,99 +0,0 @@
 package cfapi
 import (
 	"net/url"
 	"strconv"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )
 var (
 	filterVnetId = cli.StringFlag{
 		Name:  "id",
 		Usage: "List virtual networks with the given `ID`",
 	}
 	filterVnetByName = cli.StringFlag{
 		Name:  "name",
 		Usage: "List virtual networks with the given `NAME`",
 	}
 	filterDefaultVnet = cli.BoolFlag{
 		Name:  "is-default",
 		Usage: "If true, lists the virtual network that is the default one. If false, lists all non-default virtual networks for the account. If absent, all are included in the results regardless of their default status.",
 	}
 	filterDeletedVnet = cli.BoolFlag{
 		Name:  "show-deleted",
 		Usage: "If false (default), only show non-deleted virtual networks. If true, only show deleted virtual networks.",
 	}
 	VnetFilterFlags = []cli.Flag{
 		&filterVnetId,
 		&filterVnetByName,
 		&filterDefaultVnet,
 		&filterDeletedVnet,
 	}
 )
 // VnetFilter which virtual networks get queried.
 type VnetFilter struct {
 	queryParams url.Values
 }
 func NewVnetFilter() *VnetFilter {
 	return &VnetFilter{
 		queryParams: url.Values{},
 	}
 }
 func (f *VnetFilter) ById(vnetId uuid.UUID) {
 	f.queryParams.Set("id", vnetId.String())
 }
 func (f *VnetFilter) ByName(name string) {
 	f.queryParams.Set("name", name)
 }
 func (f *VnetFilter) ByDefaultStatus(isDefault bool) {
 	f.queryParams.Set("is_default", strconv.FormatBool(isDefault))
 }
 func (f *VnetFilter) WithDeleted(isDeleted bool) {
 	f.queryParams.Set("is_deleted", strconv.FormatBool(isDeleted))
 }
 func (f *VnetFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f VnetFilter) Encode() string {
 	return f.queryParams.Encode()
 }
 // NewFromCLI parses CLI flags to discover which filters should get applied to list virtual networks.
 func NewFromCLI(c *cli.Context) (*VnetFilter, error) {
 	f := NewVnetFilter()
 	if id := c.String("id"); id != "" {
 		vnetId, err := uuid.Parse(id)
 		if err != nil {
 			return nil, errors.Wrapf(err, "%s is not a valid virtual network ID", id)
 		}
 		f.ById(vnetId)
 	}
 	if name := c.String("name"); name != "" {
 		f.ByName(name)
 	}
 	if c.IsSet("is-default") {
 		f.ByDefaultStatus(c.Bool("is-default"))
 	}
 	f.WithDeleted(c.Bool("show-deleted"))
 	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
 		f.MaxFetchSize(uint(maxFetch))
 	}
 	return f, nil
 }
--- a/cfapi/virtual_network_test.go
+++ b/cfapi/virtual_network_test.go
@ -1,79 +0,0 @@
 package cfapi
 import (
 	"encoding/json"
 	"strings"
 	"testing"
 	"time"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 )
 func TestVirtualNetworkJsonRoundtrip(t *testing.T) {
 	data := `{
 		"id":"74fce949-351b-4752-b261-81a56cfd3130",
 		"comment":"New York DC1",
 		"name":"us-east-1",
 		"is_default_network":true,
 		"created_at":"2021-11-26T14:40:02.600673Z",
 		"deleted_at":"2021-12-01T10:23:13.102645Z"
 	}`
 	var v VirtualNetwork
 	err := json.Unmarshal([]byte(data), &v)
 	require.NoError(t, err)
 	require.Equal(t, uuid.MustParse("74fce949-351b-4752-b261-81a56cfd3130"), v.ID)
 	require.Equal(t, "us-east-1", v.Name)
 	require.Equal(t, "New York DC1", v.Comment)
 	require.Equal(t, true, v.IsDefault)
 	bytes, err := json.Marshal(v)
 	require.NoError(t, err)
 	obtainedJson := string(bytes)
 	data = strings.Replace(data, "\t", "", -1)
 	data = strings.Replace(data, "\n", "", -1)
 	require.Equal(t, data, obtainedJson)
 }
 func TestMarshalNewVnet(t *testing.T) {
 	newVnet := NewVirtualNetwork{
 		Name:      "eu-west-1",
 		Comment:   "London office",
 		IsDefault: true,
 	}
 	serialized, err := json.Marshal(newVnet)
 	require.NoError(t, err)
 	require.True(t, strings.Contains(string(serialized), newVnet.Name))
 }
 func TestMarshalUpdateVnet(t *testing.T) {
 	newName := "bulgaria-1"
 	updates := UpdateVirtualNetwork{
 		Name: &newName,
 	}
 	// Test where receiver is struct
 	serialized, err := json.Marshal(updates)
 	require.NoError(t, err)
 	require.True(t, strings.Contains(string(serialized), newName))
 }
 func TestVnetTableString(t *testing.T) {
 	virtualNet := VirtualNetwork{
 		ID:        uuid.New(),
 		Name:      "us-east-1",
 		Comment:   "New York DC1",
 		IsDefault: true,
 		CreatedAt: time.Now(),
 		DeletedAt: time.Time{},
 	}
 	row := virtualNet.TableString()
 	require.True(t, strings.HasPrefix(row, virtualNet.ID.String()))
 	require.True(t, strings.Contains(row, virtualNet.Name))
 	require.True(t, strings.Contains(row, virtualNet.Comment))
 	require.True(t, strings.Contains(row, "true"))
 	require.True(t, strings.HasSuffix(row, "-\t"))
 }
--- a/cfio/copy.go
+++ b/cfio/copy.go
@ -1,27 +0,0 @@
 package cfio
 import (
 	"io"
 	"sync"
 )
 const defaultBufferSize = 16 * 1024
 var bufferPool = sync.Pool{
 	New: func() interface{} {
 		return make([]byte, defaultBufferSize)
 	},
 }
 func Copy(dst io.Writer, src io.Reader) (written int64, err error) {
 	_, okWriteTo := src.(io.WriterTo)
 	_, okReadFrom := dst.(io.ReaderFrom)
 	var buffer []byte = nil
 	if !(okWriteTo || okReadFrom) {
 		buffer = bufferPool.Get().([]byte)
 		defer bufferPool.Put(buffer)
 	}
 	return io.CopyBuffer(dst, src, buffer)
 }
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@ -1,89 +1,75 @@
-pinned_go: &pinned_go go-boring=1.22.2-1
+pinned_go: &pinned_go go=1.17-1
 pinned_go_fips: &pinned_go_fips go-boring=1.16.6-6
 build_dir: &build_dir /cfsetup_build
-default-flavor: bullseye
+default-flavor: buster
-buster: &buster
+stretch: &stretch
-  build-linux:
+  build:
    build_dir: *build_dir
-    builddeps: &build_deps
+    builddeps:
-      - *pinned_go
+      - *pinned_go_fips
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
    pre-cache: &build_pre_cache
      - export GOCACHE=/cfsetup_build/.cache/go-build
      - go install golang.org/x/tools/cmd/goimports@latest
    post-cache:
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  build-linux-fips:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
-      # Build binary for component test
+      - make cloudflared
-      - GOOS=linux GOARCH=amd64 make cloudflared
+  build-non-fips:  # helpful to catch problems with non-fips (only used for releasing non-linux artifacts) before releases
  cover:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
     - make cover
  # except FIPS and macos 
  build-linux-release:
    build_dir: *build_dir
    builddeps: &build_deps_release
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - python3-dev
      - python3-pip
      - python3-setuptools
      - wget
    pre-cache: &build_release_pre_cache
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
      - pip3 install boto3==1.22.9
      - pip3 install python-gnupg==0.4.9
    post-cache:
      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
      - ./build-packages.sh
  # handle FIPS separately so that we built with gofips compiler
  build-linux-fips-release:
    build_dir: *build_dir
    builddeps: *build_deps_release
    pre-cache: *build_release_pre_cache
    post-cache:
      # same logic as above, but for FIPS packages only
      - ./build-packages-fips.sh
  generate-versions-file:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
    post-cache:
-      - make generate-docker-version
+      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared
  build-all-packages: #except osxpkg
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
    pre-cache:
      # TODO: https://jira.cfops.it/browse/TUN-4792 Replace this wixl with the official one once msitools supports
      # environment.
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
    post-cache:
      - export FIPS=true
      - ./build-packages.sh
  github-release-pkgs:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
      - python3-setuptools
      - python3-pip
    pre-cache:
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
      - pip3 install pygithub
    post-cache:
      # build all packages and move them to /cfsetup/built_artifacts
      - ./build-packages.sh
      # release the packages built and moved to /cfsetup/built_artifacts
      - make github-release-built-pkgs
  build-deb:
    build_dir: *build_dir
    builddeps: &build_deb_deps
-      - *pinned_go
+      - *pinned_go_fips
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared-deb
  build-fips-internal-deb:
    build_dir: *build_dir
    builddeps: &build_fips_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
@ -91,27 +77,15 @@ buster: &buster
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
-  build-internal-deb-nightly-amd64:
+  build-deb-nightly:
    build_dir: *build_dir
-    builddeps: *build_fips_deb_deps
+    builddeps: *build_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export NIGHTLY=true
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-arm64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - export NIGHTLY=true
      #- export FIPS=true # TUN-7595
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-deb-arm64:
    build_dir: *build_dir
@ -120,47 +94,38 @@ buster: &buster
      - export GOOS=linux
      - export GOARCH=arm64
      - make cloudflared-deb
-  package-windows:
+  publish-deb:
    build_dir: *build_dir
    builddeps:
-      - *pinned_go
+      - *pinned_go_fips
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
    pre-cache:
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
    post-cache:
      - .teamcity/package-windows.sh
  test:
    build_dir: *build_dir
    builddeps: &build_deps_tests
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
-      - rpm
+      - openssh-client
      - libffi-dev
      - gotest-to-teamcity
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
-      - export PATH="$HOME/go/bin:$PATH"
+      - export FIPS=true
-      - ./fmt-check.sh
+      - make publish-deb
-      - make test | gotest-to-teamcity
+  github-release-macos-amd64:
  test-fips:
    build_dir: *build_dir
-    builddeps: *build_deps_tests
+    builddeps:
-    pre-cache: *build_pre_cache
+      - *pinned_go
      - python3-setuptools
      - python3-pip
    pre-cache: &install_pygithub
      - pip3 install pygithub
    post-cache:
      - make github-mac-upload
  test:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
      - gotest-to-teamcity
    pre-cache:
      - go get golang.org/x/tools/cmd/goimports
      - go get github.com/sudarshan-reddy/go-sumtype@v0.0.0-20210827105221-82eca7e5abb1
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
@ -170,8 +135,8 @@ buster: &buster
      - make test | gotest-to-teamcity
  component-test:
    build_dir: *build_dir
-    builddeps: &build_deps_component_test
+    builddeps:
-      - *pinned_go
+      - *pinned_go_fips
      - python3.7
      - python3-pip
      - python3-setuptools
@ -180,71 +145,86 @@ buster: &buster
      - procps
    pre-cache-copy-paths:
      - component-tests/requirements.txt
-    pre-cache: &component_test_pre_cache
+    pre-cache:
      - sudo pip3 install --upgrade -r component-tests/requirements.txt
-    post-cache: &component_test_post_cache
+    post-cache:
      # Creates and routes a Named Tunnel for this build. Also constructs config file from env vars.
      - python3 component-tests/setup.py --type create
-      - pytest component-tests -o log_cli=true --log-cli-level=INFO
+      - pytest component-tests
      # The Named Tunnel is deleted and its route unprovisioned here.
      - python3 component-tests/setup.py --type cleanup
-  component-test-fips:
+  update-homebrew:
    builddeps:
      - openssh-client
      - s3cmd
    post-cache:
      - .teamcity/update-homebrew.sh
  github-message-release:
    build_dir: *build_dir
-    builddeps: *build_deps_component_test
+    builddeps:
-    pre-cache-copy-paths:
+      - *pinned_go
-      - component-tests/requirements.txt
+      - python3-setuptools
-    pre-cache: *component_test_pre_cache
+      - python3-pip
-    post-cache: *component_test_post_cache
+    pre-cache: *install_pygithub
-  github-release-dryrun:
+    post-cache:
      - make github-message
  build-junos:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
-      - python3-dev
+      - python3
-      - libffi-dev
+      - genisoimage
-      - python3-setuptools
+      - jetez
      - python3-pip
    pre-cache:
-      - pip3 install pynacl==1.4.0
+      - ln -s /usr/bin/genisoimage /usr/bin/mkisofs
      - pip3 install pygithub==1.55
    post-cache:
-      - make github-release-dryrun
+      - export GOOS=freebsd
-  github-release:
+      - export GOARCH=amd64
      - make cloudflared-junos
  publish-junos:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
-      - python3-dev
+      - python3
-      - libffi-dev
+      - genisoimage
-      - python3-setuptools
+      - jetez
-      - python3-pip
+      - s4cmd
    pre-cache:
-      - pip3 install pynacl==1.4.0
+      - ln -s /usr/bin/genisoimage /usr/bin/mkisofs
      - pip3 install pygithub==1.55
    post-cache:
-      - make github-release
+      - export GOOS=freebsd
-  r2-linux-release:
+      - export GOARCH=amd64
-    build_dir: *build_dir
+      - make publish-cloudflared-junos
    builddeps:
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - reprepro
      - createrepo
    pre-cache:
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
      - pip3 install boto3==1.22.9
      - pip3 install python-gnupg==0.4.9
    post-cache:
      - make r2-linux-release
-bullseye: *buster
+buster: *stretch
-bookworm: *buster
+bullseye: *stretch
 centos-7:
  publish-rpm:
    build_dir: *build_dir
    builddeps: &el7_builddeps
      - https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    pre-cache:
      - yum install -y fakeroot
      - yum upgrade -y binutils-2.27-44.base.el7.x86_64
      - wget https://golang.org/dl/go1.16.3.linux-amd64.tar.gz -P /tmp/
      - tar -C /usr/local -xzf /tmp/go1.16.3.linux-amd64.tar.gz
    post-cache:
      - export PATH=$PATH:/usr/local/go/bin
      - export GOOS=linux
      - export GOARCH=amd64
      - make publish-rpm
  build-rpm:
    build_dir: *build_dir
    builddeps: *el7_builddeps
    pre-cache:
      - yum install -y fakeroot
      - yum upgrade -y binutils-2.27-44.base.el7.x86_64
      - wget https://golang.org/dl/go1.16.3.linux-amd64.tar.gz -P /tmp/
      - tar -C /usr/local -xzf /tmp/go1.16.3.linux-amd64.tar.gz
    post-cache:
      - export PATH=$PATH:/usr/local/go/bin
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared-rpm
--- a/check-fips.sh
+++ b/check-fips.sh
@ -1,15 +0,0 @@
 # Pass the path to the executable to check for FIPS compliance
 exe=$1
 if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
    # Asserts that executable is using FIPS-compliant boringcrypto
    echo "${exe}: missing goboring symbols" >&2
    exit 1
 fi
 if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
    # Asserts that executable is using FIPS-only schemes
    echo "${exe}: missing fipsonly symbols" >&2
    exit 1
 fi
 echo "${exe} is FIPS-compliant"
--- a/cloudflared.wxs
+++ b/cloudflared.wxs
@ -1,64 +1,62 @@
 <?xml version="1.0"?>
-<?if $(var.Platform)="x64" ?>
+<?if $(var.Platform)="x86"?>
    <?define Program_Files="ProgramFiles64Folder"?>
 <?else ?>
    <?define Program_Files="ProgramFilesFolder"?>
-<?endif ?>
+<?else?>
    <?define Program_Files="ProgramFiles64Folder"?>
 <?endif?>
 <?ifndef var.Version?>
    <?error Undefined Version variable?>
-<?endif ?>
+<?endif?>
 <?ifndef var.Path?>
    <?error Undefined Path variable?>
-<?endif ?>
+<?endif?>
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
-    <Product Id="*"
+    <Product Id="35e5e858-9372-4449-bf73-1cd6f7267128" 
        UpgradeCode="23f90fdd-9328-47ea-ab52-5380855a4b12"
        Name="cloudflared"
        Version="$(var.Version)"
        Manufacturer="cloudflare"
        Language="1033">
-        <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" InstallScope="perMachine" />
+      <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" InstallScope="perMachine"/>
-        <Media Id="1" Cabinet="product.cab" EmbedCab="yes" />
+      <Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
-        <MajorUpgrade DowngradeErrorMessage="A later version of [ProductName] is already installed. Setup will now exit." />
+      <Upgrade Id="23f90fdd-9328-47ea-ab52-5380855a4b12">
         <UpgradeVersion Minimum="$(var.Version)" OnlyDetect="yes" Property="NEWERVERSIONDETECTED"/>
         <UpgradeVersion Minimum="2020.8.0" Maximum="$(var.Version)" IncludeMinimum="yes" IncludeMaximum="no"
                         Property="OLDERVERSIONBEINGUPGRADED"/>
      </Upgrade>
      <Condition Message="A newer version of this software is already installed.">NOT NEWERVERSIONDETECTED</Condition>
-        <Upgrade Id="23f90fdd-9328-47ea-ab52-5380855a4b12">
+    <Directory Id="TARGETDIR" Name="SourceDir">
-            <UpgradeVersion Minimum="$(var.Version)" OnlyDetect="yes" Property="NEWERVERSIONDETECTED" />
+        <!--This specifies where the cloudflared.exe is moved to in the windows Operation System-->
-            <UpgradeVersion Minimum="2020.8.0" Maximum="$(var.Version)" IncludeMinimum="yes" IncludeMaximum="no"
+        <Directory Id="$(var.Program_Files)">
-                Property="OLDERVERSIONBEINGUPGRADED" />
+            <Directory Id="INSTALLDIR" Name="cloudflared">
-        </Upgrade>
+                <Component Id="ApplicationFiles" Guid="35e5e858-9372-4449-bf73-1cd6f7267128">
-        <Condition Message="A newer version of this software is already installed.">NOT NEWERVERSIONDETECTED</Condition>
+                    <File Id="ApplicationFile0" Source="$(var.Path)"/>
-
+                </Component>
        <Directory Id="TARGETDIR" Name="SourceDir">
            <!--This specifies where the cloudflared.exe is moved to in the windows Operation System-->
            <Directory Id="$(var.Program_Files)">
                <Directory Id="INSTALLDIR" Name="cloudflared">
                    <Component Id="ApplicationFiles" Guid="35e5e858-9372-4449-bf73-1cd6f7267128">
                        <File Id="ApplicationFile0" Source="$(var.Path)" />
                    </Component>
                </Directory>
            </Directory>
            <Component Id="ENVS" Guid="6bb74449-d10d-4f4a-933e-6fc9fa006eae">
                <!--Set the cloudflared bin location to the Path Environment Variable-->
                <Environment Id="ENV0"
                    Name="PATH"
                    Value="[INSTALLDIR]"
                    Permanent="no"
                    Part="last"
                    Action="create"
                    System="yes" />
            </Component>
        </Directory>
        <Component Id="ENVS" Guid="6bb74449-d10d-4f4a-933e-6fc9fa006eae">
        <!--Set the cloudflared bin location to the Path Environment Variable-->
         <Environment Id="ENV0"
           Name="PATH"
           Value="[INSTALLDIR]."
           Permanent="no"
           Part="last"
           Action="create"
           System="yes" />
        </Component>
    </Directory>
-        <Feature Id='Complete' Level='1'>
+    <Feature Id='Complete' Level='1'>
-            <ComponentRef Id="ENVS" />
+      <ComponentRef Id="ENVS"/>
-            <ComponentRef Id='ApplicationFiles' />
+      <ComponentRef Id='ApplicationFiles' />
-        </Feature>
+    </Feature>
    </Product>
 </Wix>
--- a/cmd/cloudflared/access/carrier.go
+++ b/cmd/cloudflared/access/carrier.go
@ -3,7 +3,6 @@ package access
 import (
 	"crypto/tls"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
@ -14,7 +13,6 @@ import (
 	"github.com/cloudflare/cloudflared/carrier"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/stream"
 	"github.com/cloudflare/cloudflared/validation"
 )
@ -40,7 +38,6 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	if forwarder.TokenSecret != "" {
 		headers.Set(cfAccessClientSecretHeader, forwarder.TokenSecret)
 	}
 	headers.Set("User-Agent", userAgent)
 	carrier.SetBastionDest(headers, forwarder.Destination)
@ -61,37 +58,31 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 // useful for proxying other protocols (like ssh) over websockets
 // (which you can put Access in front of)
 func ssh(c *cli.Context) error {
-	// If not running as a forwarder, disable terminal logs as it collides with the stdin/stdout of the parent process
+	log := logger.CreateSSHLoggerFromContext(c, logger.EnableTerminalLog)
 	outputTerminal := logger.DisableTerminalLog
 	if c.IsSet(sshURLFlag) {
 		outputTerminal = logger.EnableTerminalLog
 	}
 	log := logger.CreateSSHLoggerFromContext(c, outputTerminal)
 	// get the hostname from the cmdline and error out if its not provided
 	rawHostName := c.String(sshHostnameFlag)
-	url, err := parseURL(rawHostName)
+	hostname, err := validation.ValidateHostname(rawHostName)
-	if err != nil {
+	if err != nil || rawHostName == "" {
 		log.Err(err).Send()
 		return cli.ShowCommandHelp(c, "ssh")
 	}
 	originURL := ensureURLScheme(hostname)
 	// get the headers from the cmdline and add them
-	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
+	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
 		headers.Set(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
 	if c.IsSet(sshTokenSecretFlag) {
 		headers.Set(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
 	headers.Set("User-Agent", userAgent)
 	carrier.SetBastionDest(headers, c.String(sshDestinationFlag))
 	options := &carrier.StartOptions{
-		OriginURL: url.String(),
+		OriginURL: originURL,
 		Headers:   headers,
-		Host:      url.Host,
+		Host:      hostname,
 	}
 	if connectTo := c.String(sshConnectTo); connectTo != "" {
@ -130,17 +121,16 @@ func ssh(c *cli.Context) error {
 		return err
 	}
-	var s io.ReadWriter
+	return carrier.StartClient(wsConn, &carrier.StdinoutStream{}, options)
-	s = &carrier.StdinoutStream{}
+}
-	if c.IsSet(sshDebugStream) {
+
-		maxMessages := c.Uint64(sshDebugStream)
+func buildRequestHeaders(values []string) http.Header {
-		if maxMessages == 0 {
+	headers := make(http.Header)
-			// default to 10 if provided but unset
+	for _, valuePair := range values {
-			maxMessages = 10
+		split := strings.Split(valuePair, ":")
-		}
+		if len(split) > 1 {
-		logger := log.With().Str("host", url.Host).Logger()
+			headers.Add(strings.TrimSpace(split[0]), strings.TrimSpace(split[1]))
-		s = stream.NewDebugStream(s, &logger, maxMessages)
+		}
-	}
+	}
-	carrier.StartClient(wsConn, s, options)
+	return headers
 	return nil
 }
--- a/cmd/cloudflared/access/carrier_test.go
+++ b/cmd/cloudflared/access/carrier_test.go
@ -0,0 +1,18 @@
 package access
 import (
 	"net/http"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestBuildRequestHeaders(t *testing.T) {
 	headers := make(http.Header)
 	headers.Add("client", "value")
 	headers.Add("secret", "safe-value")
 	values := buildRequestHeaders([]string{"client: value", "secret: safe-value", "trash"})
 	assert.Equal(t, headers.Get("client"), values.Get("client"))
 	assert.Equal(t, headers.Get("secret"), values.Get("secret"))
 }
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@ -11,7 +11,7 @@ import (
 	"text/template"
 	"time"
-	"github.com/getsentry/sentry-go"
+	"github.com/getsentry/raven-go"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
@ -26,8 +26,6 @@ import (
 )
 const (
 	appURLFlag         = "app"
 	loginQuietFlag     = "quiet"
 	sshHostnameFlag    = "hostname"
 	sshDestinationFlag = "destination"
 	sshURLFlag         = "url"
@ -36,17 +34,19 @@ const (
 	sshTokenSecretFlag = "service-token-secret"
 	sshGenCertFlag     = "short-lived-cert"
 	sshConnectTo       = "connect-to"
 	sshDebugStream     = "debug-stream"
 	sshConfigTemplate  = `
 Add to your {{.Home}}/.ssh/config:
 {{- if .ShortLivedCerts}}
 Match host {{.Hostname}} exec "{{.Cloudflared}} access ssh-gen --hostname %h"
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
  IdentityFile ~/.cloudflared/%h-cf_key
  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
 {{- else}}
 Host {{.Hostname}}
 {{- if .ShortLivedCerts}}
  ProxyCommand bash -c '{{.Cloudflared}} access ssh-gen --hostname %h; ssh -tt %r@cfpipe-{{.Hostname}} >&2 <&1'
 Host cfpipe-{{.Hostname}}
  HostName {{.Hostname}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
  IdentityFile ~/.cloudflared/{{.Hostname}}-cf_key
  CertificateFile ~/.cloudflared/{{.Hostname}}-cf_key-cert.pub
 {{- else}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
@ -56,13 +56,11 @@ const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
 var (
 	shutdownC chan struct{}
 	userAgent = "DEV"
 )
 // Init will initialize and store vars from the main program
-func Init(shutdown chan struct{}, version string) {
+func Init(shutdown chan struct{}) {
 	shutdownC = shutdown
 	userAgent = fmt.Sprintf("cloudflared/%s", version)
 }
 // Flags return the global flags for Access related commands (hopefully none)
@ -84,29 +82,14 @@ func Commands() []*cli.Command {
 			applications from the command line.`,
 			Subcommands: []*cli.Command{
 				{
-					Name:      "login",
+					Name:   "login",
-					Action:    cliutil.Action(login),
+					Action: cliutil.Action(login),
-					Usage:     "login <url of access application>",
+					Usage:  "login <url of access application>",
 					ArgsUsage: "url of Access application",
 					Description: `The login subcommand initiates an authentication flow with your identity provider.
 					The subcommand will launch a browser. For headless systems, a url is provided.
 					Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
 					scoped to your identity, the application you intend to reach, and valid for a session duration set by your
 					administrator. cloudflared stores the token in local storage.`,
 					Flags: []cli.Flag{
 						&cli.BoolFlag{
 							Name:    loginQuietFlag,
 							Aliases: []string{"q"},
 							Usage:   "do not print the jwt to the command line",
 						},
 						&cli.BoolFlag{
 							Name:  "no-verbose",
 							Usage: "print only the jwt to stdout",
 						},
 						&cli.StringFlag{
 							Name: appURLFlag,
 						},
 					},
 				},
 				{
 					Name:   "curl",
@ -120,12 +103,12 @@ func Commands() []*cli.Command {
 				{
 					Name:        "token",
 					Action:      cliutil.Action(generateToken),
-					Usage:       "token <url of access application>",
+					Usage:       "token -app=<url of access application>",
 					ArgsUsage:   "url of Access application",
 					Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
-							Name: appURLFlag,
+							Name: "app",
 						},
 					},
 				},
@ -141,18 +124,15 @@ func Commands() []*cli.Command {
 							Name:    sshHostnameFlag,
 							Aliases: []string{"tunnel-host", "T"},
 							Usage:   "specify the hostname of your application.",
 							EnvVars: []string{"TUNNEL_SERVICE_HOSTNAME"},
 						},
 						&cli.StringFlag{
-							Name:    sshDestinationFlag,
+							Name:  sshDestinationFlag,
-							Usage:   "specify the destination address of your SSH server.",
+							Usage: "specify the destination address of your SSH server.",
 							EnvVars: []string{"TUNNEL_SERVICE_DESTINATION"},
 						},
 						&cli.StringFlag{
 							Name:    sshURLFlag,
 							Aliases: []string{"listener", "L"},
 							Usage:   "specify the host:port to forward data to Cloudflare edge.",
 							EnvVars: []string{"TUNNEL_SERVICE_URL"},
 						},
 						&cli.StringSliceFlag{
 							Name:    sshHeaderFlag,
@ -172,12 +152,9 @@ func Commands() []*cli.Command {
 							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"},
 						},
 						&cli.StringFlag{
-							Name:  logger.LogFileFlag,
+							Name:    logger.LogSSHDirectoryFlag,
-							Usage: "Save application log to this file for reporting issues.",
+							Aliases: []string{"logfile"}, //added to match the tunnel side
-						},
+							Usage:   "Save application log to this directory for reporting issues.",
 						&cli.StringFlag{
 							Name:  logger.LogSSHDirectoryFlag,
 							Usage: "Save application log to this directory for reporting issues.",
 						},
 						&cli.StringFlag{
 							Name:    logger.LogSSHLevelFlag,
@ -189,11 +166,6 @@ func Commands() []*cli.Command {
 							Hidden: true,
 							Usage:  "Connect to alternate location for testing, value is host, host:port, or sni:port:host",
 						},
 						&cli.Uint64Flag{
 							Name:   sshDebugStream,
 							Hidden: true,
 							Usage:  "Writes up-to the max provided stream payloads to the logger as debug statements.",
 						},
 					},
 				},
 				{
@ -231,18 +203,16 @@ func Commands() []*cli.Command {
 // login pops up the browser window to do the actual login and JWT generation
 func login(c *cli.Context) error {
-	err := sentry.Init(sentry.ClientOptions{
+	if err := raven.SetDSN(sentryDSN); err != nil {
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
-	appURL, err := getAppURLFromArgs(c)
+	args := c.Args()
-	if err != nil {
+	rawURL := ensureURLScheme(args.First())
 	appURL, err := url.Parse(rawURL)
 	if args.Len() < 1 || err != nil {
 		log.Error().Msg("Please provide the url of the Access application")
 		return err
 	}
@ -265,29 +235,24 @@ func login(c *cli.Context) error {
 		fmt.Fprintln(os.Stderr, "token for provided application was empty.")
 		return errors.New("empty application token")
 	}
-
+	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
 	if c.Bool(loginQuietFlag) {
 		return nil
 	}
 	// Chatty by default for backward compat. The new --app flag
 	// is an implicit opt-out of the backwards-compatible chatty output.
 	if c.Bool("no-verbose") || c.IsSet(appURLFlag) {
 		fmt.Fprint(os.Stdout, cfdToken)
 	} else {
 		fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
 	}
 	return nil
 }
 // ensureURLScheme prepends a URL with https:// if it doesnt have a scheme. http:// URLs will not be converted.
 func ensureURLScheme(url string) string {
 	url = strings.Replace(strings.ToLower(url), "http://", "https://", 1)
 	if !strings.HasPrefix(url, "https://") {
 		url = fmt.Sprintf("https://%s", url)
 	}
 	return url
 }
 // curl provides a wrapper around curl, passing Access JWT along in request
 func curl(c *cli.Context) error {
-	err := sentry.Init(sentry.ClientOptions{
+	if err := raven.SetDSN(sentryDSN); err != nil {
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
@ -308,13 +273,6 @@ func curl(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
 	// Verify that the existing token is still good; if not fetch a new one
 	if err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {
 		log.Err(err).Msg("Could not verify token")
 		return err
 	}
 	tok, err := token.GetAppTokenIfExists(appInfo)
 	if err != nil || tok == "" {
 		if allowRequest {
@ -336,7 +294,6 @@ func curl(c *cli.Context) error {
 // run kicks off a shell task and pipe the results to the respective std pipes
 func run(cmd string, args ...string) error {
 	c := exec.Command(cmd, args...)
 	c.Stdin = os.Stdin
 	stderr, err := c.StderrPipe()
 	if err != nil {
 		return err
@ -355,28 +312,13 @@ func run(cmd string, args ...string) error {
 	return c.Run()
 }
 func getAppURLFromArgs(c *cli.Context) (*url.URL, error) {
 	var appURLStr string
 	args := c.Args()
 	if args.Len() < 1 {
 		appURLStr = c.String(appURLFlag)
 	} else {
 		appURLStr = args.First()
 	}
 	return parseURL(appURLStr)
 }
 // token dumps provided token to stdout
 func generateToken(c *cli.Context) error {
-	err := sentry.Init(sentry.ClientOptions{
+	if err := raven.SetDSN(sentryDSN); err != nil {
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
-	appURL, err := getAppURLFromArgs(c)
+	appURL, err := url.Parse(ensureURLScheme(c.String("app")))
-	if err != nil {
+	if err != nil || c.NumFlags() < 1 {
 		fmt.Fprintln(os.Stderr, "Please provide a url.")
 		return err
 	}
@ -428,7 +370,7 @@ func sshGen(c *cli.Context) error {
 		return cli.ShowCommandHelp(c, "ssh-gen")
 	}
-	originURL, err := parseURL(hostname)
+	originURL, err := url.Parse(ensureURLScheme(hostname))
 	if err != nil {
 		return err
 	}
@ -507,11 +449,6 @@ func processURL(s string) (*url.URL, error) {
 // cloudflaredPath pulls the full path of cloudflared on disk
 func cloudflaredPath() string {
 	path, err := os.Executable()
 	if err == nil && isFileThere(path) {
 		return path
 	}
 	for _, p := range strings.Split(os.Getenv("PATH"), ":") {
 		path := fmt.Sprintf("%s/%s", p, "cloudflared")
 		if isFileThere(path) {
@ -534,7 +471,7 @@ func isFileThere(candidate string) bool {
 // Then makes a request to to the origin with the token to ensure it is valid.
 // Returns nil if token is valid.
 func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
-	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
+	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
 		headers.Add(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
@ -568,11 +505,6 @@ func isTokenValid(options *carrier.StartOptions, log *zerolog.Logger) (bool, err
 	if err != nil {
 		return false, errors.Wrap(err, "Could not create access request")
 	}
 	req.Header.Set("User-Agent", userAgent)
 	query := req.URL.Query()
 	query.Set("cloudflared_token_check", "true")
 	req.URL.RawQuery = query.Encode()
 	// Do not follow redirects
 	client := &http.Client{
--- a/cmd/cloudflared/access/cmd_test.go
+++ b/cmd/cloudflared/access/cmd_test.go
@ -0,0 +1,25 @@
 package access
 import "testing"
 func Test_ensureURLScheme(t *testing.T) {
 	type args struct {
 		url string
 	}
 	tests := []struct {
 		name string
 		args args
 		want string
 	}{
 		{"no scheme", args{"localhost:123"}, "https://localhost:123"},
 		{"http scheme", args{"http://test"}, "https://test"},
 		{"https scheme", args{"https://test"}, "https://test"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if got := ensureURLScheme(tt.args.url); got != tt.want {
 				t.Errorf("ensureURLScheme() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
--- a/cmd/cloudflared/access/validation.go
+++ b/cmd/cloudflared/access/validation.go
@ -1,55 +0,0 @@
 package access
 import (
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
 	"golang.org/x/net/http/httpguts"
 )
 // parseRequestHeaders will take user-provided header values as strings "Content-Type: application/json" and create
 // a http.Header object.
 func parseRequestHeaders(values []string) http.Header {
 	headers := make(http.Header)
 	for _, valuePair := range values {
 		header, value, found := strings.Cut(valuePair, ":")
 		if found {
 			headers.Add(strings.TrimSpace(header), strings.TrimSpace(value))
 		}
 	}
 	return headers
 }
 // parseHostname will attempt to convert a user provided URL string into a string with some light error checking on
 // certain expectations from the URL.
 // Will convert all HTTP URLs to HTTPS
 func parseURL(input string) (*url.URL, error) {
 	if input == "" {
 		return nil, errors.New("no input provided")
 	}
 	if !strings.HasPrefix(input, "https://") && !strings.HasPrefix(input, "http://") {
 		input = fmt.Sprintf("https://%s", input)
 	}
 	url, err := url.ParseRequestURI(input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse as URL: %w", err)
 	}
 	if url.Scheme != "https" {
 		url.Scheme = "https"
 	}
 	if url.Host == "" {
 		return nil, errors.New("failed to parse Host")
 	}
 	host, err := httpguts.PunycodeHostPort(url.Host)
 	if err != nil || host == "" {
 		return nil, err
 	}
 	if !httpguts.ValidHostHeader(host) {
 		return nil, errors.New("invalid Host provided")
 	}
 	url.Host = host
 	return url, nil
 }
--- a/cmd/cloudflared/access/validation_test.go
+++ b/cmd/cloudflared/access/validation_test.go
@ -1,80 +0,0 @@
 package access
 import (
 	"fmt"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestParseRequestHeaders(t *testing.T) {
 	values := parseRequestHeaders([]string{"client: value", "secret: safe-value", "trash", "cf-trace-id: 000:000:0:1:asd"})
 	assert.Len(t, values, 3)
 	assert.Equal(t, "value", values.Get("client"))
 	assert.Equal(t, "safe-value", values.Get("secret"))
 	assert.Equal(t, "000:000:0:1:asd", values.Get("cf-trace-id"))
 }
 func TestParseURL(t *testing.T) {
 	schemes := []string{
 		"http://",
 		"https://",
 		"",
 	}
 	hosts := []struct {
 		input    string
 		expected string
 	}{
 		{"localhost", "localhost"},
 		{"127.0.0.1", "127.0.0.1"},
 		{"127.0.0.1:9090", "127.0.0.1:9090"},
 		{"::1", "::1"},
 		{"::1:8080", "::1:8080"},
 		{"[::1]", "[::1]"},
 		{"[::1]:8080", "[::1]:8080"},
 		{":8080", ":8080"},
 		{"example.com", "example.com"},
 		{"hello.example.com", "hello.example.com"},
 		{"bücher.example.com", "xn--bcher-kva.example.com"},
 	}
 	paths := []string{
 		"",
 		"/test",
 		"/example.com?qwe=123",
 	}
 	for i, scheme := range schemes {
 		for j, host := range hosts {
 			for k, path := range paths {
 				t.Run(fmt.Sprintf("%d_%d_%d", i, j, k), func(t *testing.T) {
 					input := fmt.Sprintf("%s%s%s", scheme, host.input, path)
 					expected := fmt.Sprintf("%s%s%s", "https://", host.expected, path)
 					url, err := parseURL(input)
 					assert.NoError(t, err, "input: %s\texpected: %s", input, expected)
 					assert.Equal(t, expected, url.String())
 					assert.Equal(t, host.expected, url.Host)
 					assert.Equal(t, "https", url.Scheme)
 				})
 			}
 		}
 	}
 	t.Run("no input", func(t *testing.T) {
 		_, err := parseURL("")
 		assert.ErrorContains(t, err, "no input provided")
 	})
 	t.Run("missing host", func(t *testing.T) {
 		_, err := parseURL("https:///host")
 		assert.ErrorContains(t, err, "failed to parse Host")
 	})
 	t.Run("invalid path only", func(t *testing.T) {
 		_, err := parseURL("/host")
 		assert.ErrorContains(t, err, "failed to parse Host")
 	})
 	t.Run("invalid parse URL", func(t *testing.T) {
 		_, err := parseURL("https://host\\host")
 		assert.ErrorContains(t, err, "failed to parse as URL")
 	})
 }
--- a/cmd/cloudflared/buildinfo/build_info.go
+++ b/cmd/cloudflared/buildinfo/build_info.go
@ -0,0 +1,33 @@
 package buildinfo
 import (
 	"fmt"
 	"runtime"
 	"github.com/rs/zerolog"
 )
 type BuildInfo struct {
 	GoOS               string `json:"go_os"`
 	GoVersion          string `json:"go_version"`
 	GoArch             string `json:"go_arch"`
 	CloudflaredVersion string `json:"cloudflared_version"`
 }
 func GetBuildInfo(cloudflaredVersion string) *BuildInfo {
 	return &BuildInfo{
 		GoOS:               runtime.GOOS,
 		GoVersion:          runtime.Version(),
 		GoArch:             runtime.GOARCH,
 		CloudflaredVersion: cloudflaredVersion,
 	}
 }
 func (bi *BuildInfo) Log(log *zerolog.Logger) {
 	log.Info().Msgf("Version %s", bi.CloudflaredVersion)
 	log.Info().Msgf("GOOS: %s, GOVersion: %s, GoArch: %s", bi.GoOS, bi.GoVersion, bi.GoArch)
 }
 func (bi *BuildInfo) OSArch() string {
 	return fmt.Sprintf("%s_%s", bi.GoOS, bi.GoArch)
 }
--- a/cmd/cloudflared/cliutil/build_info.go
+++ b/cmd/cloudflared/cliutil/build_info.go
@ -1,83 +0,0 @@
 package cliutil
 import (
 	"crypto/sha256"
 	"fmt"
 	"io"
 	"os"
 	"runtime"
 	"github.com/rs/zerolog"
 )
 type BuildInfo struct {
 	GoOS               string `json:"go_os"`
 	GoVersion          string `json:"go_version"`
 	GoArch             string `json:"go_arch"`
 	BuildType          string `json:"build_type"`
 	CloudflaredVersion string `json:"cloudflared_version"`
 	Checksum           string `json:"checksum"`
 }
 func GetBuildInfo(buildType, version string) *BuildInfo {
 	return &BuildInfo{
 		GoOS:               runtime.GOOS,
 		GoVersion:          runtime.Version(),
 		GoArch:             runtime.GOARCH,
 		BuildType:          buildType,
 		CloudflaredVersion: version,
 		Checksum:           currentBinaryChecksum(),
 	}
 }
 func (bi *BuildInfo) Log(log *zerolog.Logger) {
 	log.Info().Msgf("Version %s (Checksum %s)", bi.CloudflaredVersion, bi.Checksum)
 	if bi.BuildType != "" {
 		log.Info().Msgf("Built%s", bi.GetBuildTypeMsg())
 	}
 	log.Info().Msgf("GOOS: %s, GOVersion: %s, GoArch: %s", bi.GoOS, bi.GoVersion, bi.GoArch)
 }
 func (bi *BuildInfo) OSArch() string {
 	return fmt.Sprintf("%s_%s", bi.GoOS, bi.GoArch)
 }
 func (bi *BuildInfo) Version() string {
 	return bi.CloudflaredVersion
 }
 func (bi *BuildInfo) GetBuildTypeMsg() string {
 	if bi.BuildType == "" {
 		return ""
 	}
 	return fmt.Sprintf(" with %s", bi.BuildType)
 }
 func (bi *BuildInfo) UserAgent() string {
 	return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
 }
 // FileChecksum opens a file and returns the SHA256 checksum.
 func FileChecksum(filePath string) (string, error) {
 	f, err := os.Open(filePath)
 	if err != nil {
 		return "", err
 	}
 	defer f.Close()
 	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
 		return "", err
 	}
 	return fmt.Sprintf("%x", h.Sum(nil)), nil
 }
 func currentBinaryChecksum() string {
 	currentPath, err := os.Executable()
 	if err != nil {
 		return ""
 	}
 	sum, _ := FileChecksum(currentPath)
 	return sum
 }
--- a/cmd/cloudflared/cliutil/deprecated.go
+++ b/cmd/cloudflared/cliutil/deprecated.go
@ -11,7 +11,7 @@ func RemovedCommand(name string) *cli.Command {
 		Name: name,
 		Action: func(context *cli.Context) error {
 			return cli.Exit(
-				fmt.Sprintf("%s command is no longer supported by cloudflared. Consult Cloudflare Tunnel documentation for possible alternative solutions.", name),
+				fmt.Sprintf("%s command is no longer supported by cloudflared. Consult Argo Tunnel documentation for possible alternative solutions.", name),
 				-1,
 			)
 		},
--- a/cmd/cloudflared/cliutil/logger.go
+++ b/cmd/cloudflared/cliutil/logger.go
@ -1,51 +0,0 @@
 package cliutil
 import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"github.com/cloudflare/cloudflared/logger"
 )
 var (
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
 )
 func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogLevelFlag,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogTransportLevelFlag,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
 			EnvVars: []string{"TUNNEL_PROTO_LOGLEVEL", "TUNNEL_TRANSPORT_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogFileFlag,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogDirectoryFlag,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "trace-output",
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
 	}
 }
--- a/cmd/cloudflared/common_service.go
+++ b/cmd/cloudflared/common_service.go
@ -1,30 +0,0 @@
 package main
 import (
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
 )
 func buildArgsForToken(c *cli.Context, log *zerolog.Logger) ([]string, error) {
 	token := c.Args().First()
 	if _, err := tunnel.ParseToken(token); err != nil {
 		return nil, cliutil.UsageError("Provided tunnel token is not valid (%s).", err)
 	}
 	return []string{
 		"tunnel", "run", "--token", token,
 	}, nil
 }
 func getServiceExtraArgsFromCliArgs(c *cli.Context, log *zerolog.Logger) ([]string, error) {
 	if c.NArg() > 0 {
 		// currently, we only support extra args for token
 		return buildArgsForToken(c, log)
 	} else {
 		// empty extra args
 		return make([]string, 0), nil
 	}
 }
--- a/cmd/cloudflared/generic_service.go
+++ b/cmd/cloudflared/generic_service.go
@ -1,4 +1,4 @@
-//go:build !windows && !darwin && !linux
+// +build !windows,!darwin,!linux
 package main
--- a/cmd/cloudflared/linux_service.go
+++ b/cmd/cloudflared/linux_service.go
@ -1,10 +1,11 @@
-//go:build linux
+// +build linux
 package main
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
@ -18,19 +19,22 @@ import (
 func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
-		Usage: "Manages the cloudflared system service",
+		Usage: "Manages the Argo Tunnel system service",
 		Subcommands: []*cli.Command{
 			{
 				Name:   "install",
-				Usage:  "Install cloudflared as a system service",
+				Usage:  "Install Argo Tunnel as a system service",
 				Action: cliutil.ConfiguredAction(installLinuxService),
 				Flags: []cli.Flag{
-					noUpdateServiceFlag,
+					&cli.BoolFlag{
 						Name:  "legacy",
 						Usage: "Generate service file for non-named tunnels",
 					},
 				},
 			},
 			{
 				Name:   "uninstall",
-				Usage:  "Uninstall the cloudflared service",
+				Usage:  "Uninstall the Argo Tunnel service",
 				Action: cliutil.ConfiguredAction(uninstallLinuxService),
 			},
 		},
@ -41,27 +45,23 @@ func runApp(app *cli.App, graceShutdownC chan struct{}) {
 // The directory and files that are used by the service.
 // These are hard-coded in the templates below.
 const (
-	serviceConfigDir         = "/etc/cloudflared"
+	serviceConfigDir      = "/etc/cloudflared"
-	serviceConfigFile        = "config.yml"
+	serviceConfigFile     = "config.yml"
-	serviceCredentialFile    = "cert.pem"
+	serviceCredentialFile = "cert.pem"
-	serviceConfigPath        = serviceConfigDir + "/" + serviceConfigFile
+	serviceConfigPath     = serviceConfigDir + "/" + serviceConfigFile
 	cloudflaredService       = "cloudflared.service"
 	cloudflaredUpdateService = "cloudflared-update.service"
 	cloudflaredUpdateTimer   = "cloudflared-update.timer"
 )
-var systemdAllTemplates = map[string]ServiceTemplate{
+var systemdTemplates = []ServiceTemplate{
-	cloudflaredService: {
+	{
-		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredService),
+		Path: "/etc/systemd/system/cloudflared.service",
 		Content: `[Unit]
-Description=cloudflared
+Description=Argo Tunnel
-After=network-online.target
+After=network.target
 Wants=network-online.target
 [Service]
 TimeoutStartSec=0
 Type=notify
-ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
+ExecStart={{ .Path }} --config /etc/cloudflared/config.yml --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure
 RestartSec=5s
@ -69,21 +69,20 @@ RestartSec=5s
 WantedBy=multi-user.target
 `,
 	},
-	cloudflaredUpdateService: {
+	{
-		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateService),
+		Path: "/etc/systemd/system/cloudflared-update.service",
 		Content: `[Unit]
-Description=Update cloudflared
+Description=Update Argo Tunnel
-After=network-online.target
+After=network.target
 Wants=network-online.target
 [Service]
 ExecStart=/bin/bash -c '{{ .Path }} update; code=$?; if [ $code -eq 11 ]; then systemctl restart cloudflared; exit 0; fi; exit $code'
 `,
 	},
-	cloudflaredUpdateTimer: {
+	{
-		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateTimer),
+		Path: "/etc/systemd/system/cloudflared-update.timer",
 		Content: `[Unit]
-Description=Update cloudflared
+Description=Update Argo Tunnel
 [Timer]
 OnCalendar=daily
@ -100,7 +99,7 @@ var sysvTemplate = ServiceTemplate{
 	Content: `#!/bin/sh
 # For RedHat and cousins:
 # chkconfig: 2345 99 01
-# description: cloudflared
+# description: Argo Tunnel agent
 # processname: {{.Path}}
 ### BEGIN INIT INFO
 # Provides:          {{.Path}}
@ -108,11 +107,11 @@ var sysvTemplate = ServiceTemplate{
 # Required-Stop:
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
-# Short-Description: cloudflared
+# Short-Description: Argo Tunnel
-# Description:       cloudflared agent
+# Description:       Argo Tunnel agent
 ### END INIT INFO
 name=$(basename $(readlink -f $0))
-cmd="{{.Path}} --pidfile /var/run/$name.pid {{ range .ExtraArgs }} {{ . }}{{ end }}"
+cmd="{{.Path}} --config /etc/cloudflared/config.yml --pidfile /var/run/$name.pid --autoupdate-freq 24h0m0s{{ range .ExtraArgs }} {{ . }}{{ end }}"
 pid_file="/var/run/$name.pid"
 stdout_log="/var/log/$name.log"
 stderr_log="/var/log/$name.err"
@ -184,14 +183,6 @@ exit 0
 `,
 }
 var (
 	noUpdateServiceFlag = &cli.BoolFlag{
 		Name:  "no-update-service",
 		Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
 		Value: false,
 	}
 )
 func isSystemd() bool {
 	if _, err := os.Stat("/run/systemd/system"); err == nil {
 		return true
@ -199,6 +190,27 @@ func isSystemd() bool {
 	return false
 }
 func copyUserConfiguration(userConfigDir, userConfigFile, userCredentialFile string, log *zerolog.Logger) error {
 	srcCredentialPath := filepath.Join(userConfigDir, userCredentialFile)
 	destCredentialPath := filepath.Join(serviceConfigDir, serviceCredentialFile)
 	if srcCredentialPath != destCredentialPath {
 		if err := copyCredential(srcCredentialPath, destCredentialPath); err != nil {
 			return err
 		}
 	}
 	srcConfigPath := filepath.Join(userConfigDir, userConfigFile)
 	destConfigPath := filepath.Join(serviceConfigDir, serviceConfigFile)
 	if srcConfigPath != destConfigPath {
 		if err := copyConfig(srcConfigPath, destConfigPath); err != nil {
 			return err
 		}
 		log.Info().Msgf("Copied %s to %s", srcConfigPath, destConfigPath)
 	}
 	return nil
 }
 func installLinuxService(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
@ -210,88 +222,64 @@ func installLinuxService(c *cli.Context) error {
 		Path: etPath,
 	}
-	// Check if the "no update flag" is set
+	if err := ensureConfigDirExists(serviceConfigDir); err != nil {
 	autoUpdate := !c.IsSet(noUpdateServiceFlag.Name)
 	var extraArgsFunc func(c *cli.Context, log *zerolog.Logger) ([]string, error)
 	if c.NArg() == 0 {
 		extraArgsFunc = buildArgsForConfig
 	} else {
 		extraArgsFunc = buildArgsForToken
 	}
 	extraArgs, err := extraArgsFunc(c, log)
 	if err != nil {
 		return err
 	}
 	if c.Bool("legacy") {
 		userConfigDir := filepath.Dir(c.String("config"))
 		userConfigFile := filepath.Base(c.String("config"))
 		userCredentialFile := config.DefaultCredentialFile
 		if err = copyUserConfiguration(userConfigDir, userConfigFile, userCredentialFile, log); err != nil {
 			log.Err(err).Msgf("Failed to copy user configuration. Before running the service, ensure that %s contains two files, %s and %s",
 				serviceConfigDir, serviceCredentialFile, serviceConfigFile)
 			return err
 		}
 		templateArgs.ExtraArgs = []string{
 			"--origincert", serviceConfigDir + "/" + serviceCredentialFile,
 		}
 	} else {
 		src, _, err := config.ReadConfigFile(c, log)
 		if err != nil {
 			return err
 		}
-	templateArgs.ExtraArgs = extraArgs
+		// can't use context because this command doesn't define "credentials-file" flag
 		configPresent := func(s string) bool {
 			val, err := src.String(s)
 			return err == nil && val != ""
 		}
 		if src.TunnelID == "" || !configPresent(tunnel.CredFileFlag) {
 			return fmt.Errorf(`Configuration file %s must contain entries for the tunnel to run and its associated credentials:
 tunnel: TUNNEL-UUID
 credentials-file: CREDENTIALS-FILE
 `, src.Source())
 		}
 		if src.Source() != serviceConfigPath {
 			if exists, err := config.FileExists(serviceConfigPath); err != nil || exists {
 				return fmt.Errorf("Possible conflicting configuration in %[1]s and %[2]s. Either remove %[2]s or run `cloudflared --config %[2]s service install`", src.Source(), serviceConfigPath)
 			}
 			if err := copyFile(src.Source(), serviceConfigPath); err != nil {
 				return fmt.Errorf("failed to copy %s to %s: %w", src.Source(), serviceConfigPath, err)
 			}
 		}
 		templateArgs.ExtraArgs = []string{
 			"tunnel", "run",
 		}
 	}
 	switch {
 	case isSystemd():
 		log.Info().Msgf("Using Systemd")
-		err = installSystemd(&templateArgs, autoUpdate, log)
+		return installSystemd(&templateArgs, log)
 	default:
 		log.Info().Msgf("Using SysV")
-		err = installSysv(&templateArgs, autoUpdate, log)
+		return installSysv(&templateArgs, log)
 	}
 	if err == nil {
 		log.Info().Msg("Linux service for cloudflared installed successfully")
 	}
 	return err
 }
-func buildArgsForConfig(c *cli.Context, log *zerolog.Logger) ([]string, error) {
+func installSystemd(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) error {
 	if err := ensureConfigDirExists(serviceConfigDir); err != nil {
 		return nil, err
 	}
 	src, _, err := config.ReadConfigFile(c, log)
 	if err != nil {
 		return nil, err
 	}
 	// can't use context because this command doesn't define "credentials-file" flag
 	configPresent := func(s string) bool {
 		val, err := src.String(s)
 		return err == nil && val != ""
 	}
 	if src.TunnelID == "" || !configPresent(tunnel.CredFileFlag) {
 		return nil, fmt.Errorf(`Configuration file %s must contain entries for the tunnel to run and its associated credentials:
 tunnel: TUNNEL-UUID
 credentials-file: CREDENTIALS-FILE
 `, src.Source())
 	}
 	if src.Source() != serviceConfigPath {
 		if exists, err := config.FileExists(serviceConfigPath); err != nil || exists {
 			return nil, fmt.Errorf("Possible conflicting configuration in %[1]s and %[2]s. Either remove %[2]s or run `cloudflared --config %[2]s service install`", src.Source(), serviceConfigPath)
 		}
 		if err := copyFile(src.Source(), serviceConfigPath); err != nil {
 			return nil, fmt.Errorf("failed to copy %s to %s: %w", src.Source(), serviceConfigPath, err)
 		}
 	}
 	return []string{
 		"--config", "/etc/cloudflared/config.yml", "tunnel", "run",
 	}, nil
 }
 func installSystemd(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {
 	var systemdTemplates []ServiceTemplate
 	if autoUpdate {
 		systemdTemplates = []ServiceTemplate{
 			systemdAllTemplates[cloudflaredService],
 			systemdAllTemplates[cloudflaredUpdateService],
 			systemdAllTemplates[cloudflaredUpdateTimer],
 		}
 	} else {
 		systemdTemplates = []ServiceTemplate{
 			systemdAllTemplates[cloudflaredService],
 		}
 	}
 	for _, serviceTemplate := range systemdTemplates {
 		err := serviceTemplate.Generate(templateArgs)
 		if err != nil {
@ -299,38 +287,24 @@ func installSystemd(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zer
 			return err
 		}
 	}
-	if err := runCommand("systemctl", "enable", cloudflaredService); err != nil {
+	if err := runCommand("systemctl", "enable", "cloudflared.service"); err != nil {
-		log.Err(err).Msgf("systemctl enable %s error", cloudflaredService)
+		log.Err(err).Msg("systemctl enable cloudflared.service error")
 		return err
 	}
-
+	if err := runCommand("systemctl", "start", "cloudflared-update.timer"); err != nil {
-	if autoUpdate {
+		log.Err(err).Msg("systemctl start cloudflared-update.timer error")
 		if err := runCommand("systemctl", "start", cloudflaredUpdateTimer); err != nil {
 			log.Err(err).Msgf("systemctl start %s error", cloudflaredUpdateTimer)
 			return err
 		}
 	}
 	if err := runCommand("systemctl", "daemon-reload"); err != nil {
 		log.Err(err).Msg("systemctl daemon-reload error")
 		return err
 	}
-	return runCommand("systemctl", "start", cloudflaredService)
+	log.Info().Msg("systemctl daemon-reload")
 	return runCommand("systemctl", "daemon-reload")
 }
-func installSysv(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {
+func installSysv(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) error {
 	confPath, err := sysvTemplate.ResolvePath()
 	if err != nil {
 		log.Err(err).Msg("error resolving system path")
 		return err
 	}
 	if autoUpdate {
 		templateArgs.ExtraArgs = append([]string{"--autoupdate-freq 24h0m0s"}, templateArgs.ExtraArgs...)
 	} else {
 		templateArgs.ExtraArgs = append([]string{"--no-autoupdate"}, templateArgs.ExtraArgs...)
 	}
 	if err := sysvTemplate.Generate(templateArgs); err != nil {
 		log.Err(err).Msg("error generating system template")
 		return err
@ -345,75 +319,42 @@ func installSysv(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolo
 			continue
 		}
 	}
-	return runCommand("service", "cloudflared", "start")
+	return nil
 }
 func uninstallLinuxService(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	var err error
 	switch {
 	case isSystemd():
 		log.Info().Msg("Using Systemd")
-		err = uninstallSystemd(log)
+		return uninstallSystemd(log)
 	default:
 		log.Info().Msg("Using SysV")
-		err = uninstallSysv(log)
+		return uninstallSysv(log)
 	}
 	if err == nil {
 		log.Info().Msg("Linux service for cloudflared uninstalled successfully")
 	}
 	return err
 }
 func uninstallSystemd(log *zerolog.Logger) error {
-	// Get only the installed services
+	if err := runCommand("systemctl", "disable", "cloudflared.service"); err != nil {
-	installedServices := make(map[string]ServiceTemplate)
+		log.Err(err).Msg("systemctl disable cloudflared.service error")
-	for serviceName, serviceTemplate := range systemdAllTemplates {
+		return err
 		if err := runCommand("systemctl", "list-units", "--all", "|", "grep", serviceName); err == nil {
 			installedServices[serviceName] = serviceTemplate
 		} else {
 			log.Info().Msgf("Service '%s' not installed, skipping its uninstall", serviceName)
 		}
 	}
-
+	if err := runCommand("systemctl", "stop", "cloudflared-update.timer"); err != nil {
-	if _, exists := installedServices[cloudflaredService]; exists {
+		log.Err(err).Msg("systemctl stop cloudflared-update.timer error")
-		if err := runCommand("systemctl", "disable", cloudflaredService); err != nil {
+		return err
 			log.Err(err).Msgf("systemctl disable %s error", cloudflaredService)
 			return err
 		}
 		if err := runCommand("systemctl", "stop", cloudflaredService); err != nil {
 			log.Err(err).Msgf("systemctl stop %s error", cloudflaredService)
 			return err
 		}
 	}
-
+	for _, serviceTemplate := range systemdTemplates {
 	if _, exists := installedServices[cloudflaredUpdateTimer]; exists {
 		if err := runCommand("systemctl", "stop", cloudflaredUpdateTimer); err != nil {
 			log.Err(err).Msgf("systemctl stop %s error", cloudflaredUpdateTimer)
 			return err
 		}
 	}
 	for _, serviceTemplate := range installedServices {
 		if err := serviceTemplate.Remove(); err != nil {
 			log.Err(err).Msg("error removing service template")
 			return err
 		}
 	}
-	if err := runCommand("systemctl", "daemon-reload"); err != nil {
+	log.Info().Msgf("Successfully uninstalled cloudflared service from systemd")
 		log.Err(err).Msg("systemctl daemon-reload error")
 		return err
 	}
 	return nil
 }
 func uninstallSysv(log *zerolog.Logger) error {
 	if err := runCommand("service", "cloudflared", "stop"); err != nil {
 		log.Err(err).Msg("service cloudflared stop error")
 		return err
 	}
 	if err := sysvTemplate.Remove(); err != nil {
 		log.Err(err).Msg("error removing service template")
 		return err
@ -428,5 +369,6 @@ func uninstallSysv(log *zerolog.Logger) error {
 			continue
 		}
 	}
 	log.Info().Msgf("Successfully uninstalled cloudflared service from sysv")
 	return nil
 }
--- a/cmd/cloudflared/macos_service.go
+++ b/cmd/cloudflared/macos_service.go
@ -1,4 +1,4 @@
-//go:build darwin
+// +build darwin
 package main
@ -20,16 +20,16 @@ const (
 func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
-		Usage: "Manages the cloudflared launch agent",
+		Usage: "Manages the Argo Tunnel launch agent",
 		Subcommands: []*cli.Command{
 			{
 				Name:   "install",
-				Usage:  "Install cloudflared as an user launch agent",
+				Usage:  "Install Argo Tunnel as an user launch agent",
 				Action: cliutil.ConfiguredAction(installLaunchd),
 			},
 			{
 				Name:   "uninstall",
-				Usage:  "Uninstall the cloudflared launch agent",
+				Usage:  "Uninstall the Argo Tunnel launch agent",
 				Action: cliutil.ConfiguredAction(uninstallLaunchd),
 			},
 		},
@ -49,9 +49,6 @@ func newLaunchdTemplate(installPath, stdoutPath, stderrPath string) *ServiceTemp
 		<key>ProgramArguments</key>
 		<array>
 			<string>{{ .Path }}</string>
 			{{- range $i, $item := .ExtraArgs}}
 			<string>{{ $item }}</string>
 			{{- end}}
 		</array>
 		<key>RunAtLoad</key>
 		<true/>
@ -113,13 +110,13 @@ func installLaunchd(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	if isRootUser() {
-		log.Info().Msg("Installing cloudflared client as a system launch daemon. " +
+		log.Info().Msg("Installing Argo Tunnel client as a system launch daemon. " +
-			"cloudflared client will run at boot")
+			"Argo Tunnel client will run at boot")
 	} else {
-		log.Info().Msg("Installing cloudflared client as an user launch agent. " +
+		log.Info().Msg("Installing Argo Tunnel client as an user launch agent. " +
-			"Note that cloudflared client will only run when the user is logged in. " +
+			"Note that Argo Tunnel client will only run when the user is logged in. " +
-			"If you want to run cloudflared client at boot, install with root permission. " +
+			"If you want to run Argo Tunnel client at boot, install with root permission. " +
-			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
+			"For more information, visit https://developers.cloudflare.com/argo-tunnel/reference/service/")
 	}
 	etPath, err := os.Executable()
 	if err != nil {
@ -131,13 +128,6 @@ func installLaunchd(c *cli.Context) error {
 		log.Err(err).Msg("Error determining install path")
 		return errors.Wrap(err, "Error determining install path")
 	}
 	extraArgs, err := getServiceExtraArgsFromCliArgs(c, log)
 	if err != nil {
 		errMsg := "Unable to determine extra arguments for launch daemon"
 		log.Err(err).Msg(errMsg)
 		return errors.Wrap(err, errMsg)
 	}
 	stdoutPath, err := stdoutPath()
 	if err != nil {
 		log.Err(err).Msg("error determining stdout path")
@ -149,7 +139,7 @@ func installLaunchd(c *cli.Context) error {
 		return errors.Wrap(err, "error determining stderr path")
 	}
 	launchdTemplate := newLaunchdTemplate(installPath, stdoutPath, stderrPath)
-	templateArgs := ServiceTemplateArgs{Path: etPath, ExtraArgs: extraArgs}
+	templateArgs := ServiceTemplateArgs{Path: etPath}
 	err = launchdTemplate.Generate(&templateArgs)
 	if err != nil {
 		log.Err(err).Msg("error generating launchd template")
@ -162,20 +152,16 @@ func installLaunchd(c *cli.Context) error {
 	}
 	log.Info().Msgf("Outputs are logged to %s and %s", stderrPath, stdoutPath)
-	err = runCommand("launchctl", "load", plistPath)
+	return runCommand("launchctl", "load", plistPath)
 	if err == nil {
 		log.Info().Msg("MacOS service for cloudflared installed successfully")
 	}
 	return err
 }
 func uninstallLaunchd(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	if isRootUser() {
-		log.Info().Msg("Uninstalling cloudflared as a system launch daemon")
+		log.Info().Msg("Uninstalling Argo Tunnel as a system launch daemon")
 	} else {
-		log.Info().Msg("Uninstalling cloudflared as a user launch agent")
+		log.Info().Msg("Uninstalling Argo Tunnel as an user launch agent")
 	}
 	installPath, err := installPath()
 	if err != nil {
@ -197,13 +183,10 @@ func uninstallLaunchd(c *cli.Context) error {
 	}
 	err = runCommand("launchctl", "unload", plistPath)
 	if err != nil {
-		log.Err(err).Msg("error unloading launchd")
+		log.Err(err).Msg("error unloading")
 		return err
 	}
-	err = launchdTemplate.Remove()
+	log.Info().Msgf("Outputs are logged to %s and %s", stderrPath, stdoutPath)
-	if err == nil {
+	return launchdTemplate.Remove()
 		log.Info().Msg("Launchd for cloudflared was uninstalled successfully")
 	}
 	return err
 }
--- a/cmd/cloudflared/main.go
+++ b/cmd/cloudflared/main.go
@ -3,11 +3,10 @@ package main
 import (
 	"fmt"
 	"math/rand"
 	"os"
 	"strings"
 	"time"
-	"github.com/getsentry/sentry-go"
+	"github.com/getsentry/raven-go"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
@ -16,15 +15,12 @@ import (
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tail"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/metrics"
 	"github.com/cloudflare/cloudflared/overwatch"
 	"github.com/cloudflare/cloudflared/token"
 	"github.com/cloudflare/cloudflared/tracing"
 	"github.com/cloudflare/cloudflared/watcher"
 )
@ -35,7 +31,6 @@ const (
 var (
 	Version   = "DEV"
 	BuildTime = "unknown"
 	BuildType = ""
 	// Mostly network errors that we don't want reported back to Sentry, this is done by substring match.
 	ignoredErrors = []string{
 		"connection reset by peer",
@ -50,13 +45,10 @@ var (
 )
 func main() {
 	// FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported
 	os.Setenv("QUIC_GO_DISABLE_ECN", "1")
 	rand.Seed(time.Now().UnixNano())
-	metrics.RegisterBuildInfo(BuildType, BuildTime, Version)
+	metrics.RegisterBuildInfo(BuildTime, Version)
 	raven.SetRelease(Version)
 	maxprocs.Set()
 	bInfo := cliutil.GetBuildInfo(BuildType, Version)
 	// Graceful shutdown channel used by the app. When closed, app must terminate gracefully.
 	// Windows service manager closes this channel when it receives stop command.
@ -75,26 +67,23 @@ func main() {
 	app.Copyright = fmt.Sprintf(
 		`(c) %d Cloudflare Inc.
   Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept
-   the terms of the Apache License Version 2.0 (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/license),
+   the terms of the Cloudflare License (https://developers.cloudflare.com/argo-tunnel/license/),
   Terms (https://www.cloudflare.com/terms/) and Privacy Policy (https://www.cloudflare.com/privacypolicy/).`,
 		time.Now().Year(),
 	)
-	app.Version = fmt.Sprintf("%s (built %s%s)", Version, BuildTime, bInfo.GetBuildTypeMsg())
+	app.Version = fmt.Sprintf("%s (built %s)", Version, BuildTime)
 	app.Description = `cloudflared connects your machine or user identity to Cloudflare's global network.
 	You can use it to authenticate a session to reach an API behind Access, route web traffic to this machine,
 	and configure access control.
-	See https://developers.cloudflare.com/cloudflare-one/connections/connect-apps for more in-depth documentation.`
+	See https://developers.cloudflare.com/argo-tunnel/ for more in-depth documentation.`
 	app.Flags = flags()
 	app.Action = action(graceShutdownC)
 	app.Commands = commands(cli.ShowVersion)
-	tunnel.Init(bInfo, graceShutdownC) // we need this to support the tunnel sub command...
+	tunnel.Init(Version, graceShutdownC) // we need this to support the tunnel sub command...
-	access.Init(graceShutdownC, Version)
+	access.Init(graceShutdownC)
-	updater.Init(bInfo)
+	updater.Init(Version)
 	tracing.Init(Version)
 	token.Init(Version)
 	tail.Init(bInfo)
 	runApp(app, graceShutdownC)
 }
@ -134,28 +123,16 @@ To determine if an update happened in a script, check for error code 11.`,
 		{
 			Name: "version",
 			Action: func(c *cli.Context) (err error) {
 				if c.Bool("short") {
 					fmt.Println(strings.Split(c.App.Version, " ")[0])
 					return nil
 				}
 				version(c)
 				return nil
 			},
 			Usage:       versionText,
 			Description: versionText,
 			Flags: []cli.Flag{
 				&cli.BoolFlag{
 					Name:    "short",
 					Aliases: []string{"s"},
 					Usage:   "print just the version number",
 				},
 			},
 		},
 	}
 	cmds = append(cmds, tunnel.Commands()...)
 	cmds = append(cmds, proxydns.Command(false))
 	cmds = append(cmds, access.Commands()...)
 	cmds = append(cmds, tail.Command())
 	return cmds
 }
@ -173,10 +150,10 @@ func action(graceShutdownC chan struct{}) cli.ActionFunc {
 		if isEmptyInvocation(c) {
 			return handleServiceMode(c, graceShutdownC)
 		}
-		func() {
+		tags := make(map[string]string)
-			defer sentry.Recover()
+		tags["hostname"] = c.String("hostname")
-			err = tunnel.TunnelCommand(c)
+		raven.SetTagsContext(tags)
-		}()
+		raven.CapturePanic(func() { err = tunnel.TunnelCommand(c) }, nil)
 		if err != nil {
 			captureError(err)
 		}
@ -204,7 +181,7 @@ func captureError(err error) {
 			return
 		}
 	}
-	sentry.CaptureException(err)
+	raven.CaptureError(err, nil)
 }
 // cloudflared was started without any flags
--- a/cmd/cloudflared/proxydns/cmd.go
+++ b/cmd/cloudflared/proxydns/cmd.go
@ -1,7 +1,6 @@
 package proxydns
 import (
 	"context"
 	"net"
 	"os"
 	"os/signal"
@ -74,7 +73,7 @@ func Run(c *cli.Context) error {
 		log.Fatal().Err(err).Msg("Failed to open the metrics listener")
 	}
-	go metrics.ServeMetrics(metricsListener, context.Background(), metrics.Config{}, log)
+	go metrics.ServeMetrics(metricsListener, nil, nil, "", log)
 	listener, err := tunneldns.CreateListener(
 		c.String("address"),
--- a/cmd/cloudflared/service_template.go
+++ b/cmd/cloudflared/service_template.go
@ -5,9 +5,9 @@ import (
 	"bytes"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
 	"text/template"
 	homedir "github.com/mitchellh/go-homedir"
@ -43,27 +43,16 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 	if err != nil {
 		return err
 	}
 	if _, err = os.Stat(resolvedPath); err == nil {
 		return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
 	}
 	var buffer bytes.Buffer
 	err = tmpl.Execute(&buffer, args)
 	if err != nil {
 		return fmt.Errorf("error generating %s: %v", st.Path, err)
 	}
-	fileMode := os.FileMode(0o644)
+	fileMode := os.FileMode(0644)
 	if st.FileMode != 0 {
 		fileMode = st.FileMode
 	}
-
+	err = ioutil.WriteFile(resolvedPath, buffer.Bytes(), fileMode)
 	plistFolder := path.Dir(resolvedPath)
 	err = os.MkdirAll(plistFolder, 0o755)
 	if err != nil {
 		return fmt.Errorf("error creating %s: %v", plistFolder, err)
 	}
 	err = os.WriteFile(resolvedPath, buffer.Bytes(), fileMode)
 	if err != nil {
 		return fmt.Errorf("error writing %s: %v", resolvedPath, err)
 	}
@ -82,15 +71,6 @@ func (st *ServiceTemplate) Remove() error {
 	return nil
 }
 func serviceAlreadyExistsWarn(service string) string {
 	return fmt.Sprintf("cloudflared service is already installed at %s; if you are running a cloudflared tunnel, you "+
 		"can point it to multiple origins, avoiding the need to run more than one cloudflared service in the "+
 		"same machine; otherwise if you are really sure, you can do `cloudflared service uninstall` to clean "+
 		"up the existing service and then try again this command",
 		service,
 	)
 }
 func runCommand(command string, args ...string) error {
 	cmd := exec.Command(command, args...)
 	stderr, err := cmd.StderrPipe()
@ -102,10 +82,10 @@ func runCommand(command string, args ...string) error {
 		return fmt.Errorf("error starting %s: %v", command, err)
 	}
-	output, _ := io.ReadAll(stderr)
+	_, _ = ioutil.ReadAll(stderr)
 	err = cmd.Wait()
 	if err != nil {
-		return fmt.Errorf("%s %v returned with error code %v due to: %v", command, args, err, string(output))
+		return fmt.Errorf("%s returned with error: %v", command, err)
 	}
 	return nil
 }
--- a/cmd/cloudflared/tail/cmd.go
+++ b/cmd/cloudflared/tail/cmd.go
@ -1,428 +0,0 @@
 package tail
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
 	"syscall"
 	"time"
 	"github.com/google/uuid"
 	"github.com/mattn/go-colorable"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"nhooyr.io/websocket"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
 )
 var (
 	buildInfo *cliutil.BuildInfo
 )
 func Init(bi *cliutil.BuildInfo) {
 	buildInfo = bi
 }
 func Command() *cli.Command {
 	subcommands := []*cli.Command{
 		buildTailManagementTokenSubcommand(),
 	}
 	return buildTailCommand(subcommands)
 }
 func buildTailManagementTokenSubcommand() *cli.Command {
 	return &cli.Command{
 		Name:        "token",
 		Action:      cliutil.ConfiguredAction(managementTokenCommand),
 		Usage:       "Get management access jwt",
 		UsageText:   "cloudflared tail token TUNNEL_ID",
 		Description: `Get management access jwt for a tunnel`,
 		Hidden:      true,
 	}
 }
 func managementTokenCommand(c *cli.Context) error {
 	log := createLogger(c)
 	token, err := getManagementToken(c, log)
 	if err != nil {
 		return err
 	}
 	var tokenResponse = struct {
 		Token string `json:"token"`
 	}{Token: token}
 	return json.NewEncoder(os.Stdout).Encode(tokenResponse)
 }
 func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 	return &cli.Command{
 		Name:      "tail",
 		Action:    Run,
 		Usage:     "Stream logs from a remote cloudflared",
 		UsageText: "cloudflared tail [tail command options] [TUNNEL-ID]",
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:    "connector-id",
 				Usage:   "Access a specific cloudflared instance by connector id (for when a tunnel has multiple cloudflared's)",
 				Value:   "",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_CONNECTOR"},
 			},
 			&cli.StringSliceFlag{
 				Name:    "event",
 				Usage:   "Filter by specific Events (cloudflared, http, tcp, udp) otherwise, defaults to send all events",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_EVENTS"},
 			},
 			&cli.StringFlag{
 				Name:    "level",
 				Usage:   "Filter by specific log levels (debug, info, warn, error). Filters by debug log level by default.",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_LEVEL"},
 				Value:   "debug",
 			},
 			&cli.Float64Flag{
 				Name:    "sample",
 				Usage:   "Sample log events by percentage (0.0 .. 1.0). No sampling by default.",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_SAMPLE"},
 				Value:   1.0,
 			},
 			&cli.StringFlag{
 				Name:    "token",
 				Usage:   "Access token for a specific tunnel",
 				Value:   "",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
 			},
 			&cli.StringFlag{
 				Name:    "output",
 				Usage:   "Output format for the logs (default, json)",
 				Value:   "default",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
 			},
 			&cli.StringFlag{
 				Name:    "management-hostname",
 				Usage:   "Management hostname to signify incoming management requests",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 				Hidden:  true,
 				Value:   "management.argotunnel.com",
 			},
 			&cli.StringFlag{
 				Name:   "trace",
 				Usage:  "Set a cf-trace-id for the request",
 				Hidden: true,
 				Value:  "",
 			},
 			&cli.StringFlag{
 				Name:    logger.LogLevelFlag,
 				Value:   "info",
 				Usage:   "Application logging level {debug, info, warn, error, fatal}",
 				EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			},
 			&cli.StringFlag{
 				Name:    credentials.OriginCertFlag,
 				Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 				Value:   credentials.FindDefaultOriginCertPath(),
 			},
 		},
 		Subcommands: subcommands,
 	}
 }
 // Middleware validation error struct for returning to the eyeball
 type managementError struct {
 	Code    int    `json:"code,omitempty"`
 	Message string `json:"message,omitempty"`
 }
 // Middleware validation error HTTP response JSON for returning to the eyeball
 type managementErrorResponse struct {
 	Success bool              `json:"success,omitempty"`
 	Errors  []managementError `json:"errors,omitempty"`
 }
 func handleValidationError(resp *http.Response, log *zerolog.Logger) {
 	if resp.StatusCode == 530 {
 		log.Error().Msgf("no cloudflared connector available or reachable via management request (a recent version of cloudflared is required to use streaming logs)")
 	}
 	var managementErr managementErrorResponse
 	err := json.NewDecoder(resp.Body).Decode(&managementErr)
 	if err != nil {
 		log.Error().Msgf("unable to start management log streaming session: http response code returned %d", resp.StatusCode)
 		return
 	}
 	if managementErr.Success || len(managementErr.Errors) == 0 {
 		log.Error().Msgf("management tunnel validation returned success with invalid HTTP response code to convert to a WebSocket request")
 		return
 	}
 	for _, e := range managementErr.Errors {
 		log.Error().Msgf("management request failed validation: (%d) %s", e.Code, e.Message)
 	}
 }
 // logger will be created to emit only against the os.Stderr as to not obstruct with normal output from
 // management requests
 func createLogger(c *cli.Context) *zerolog.Logger {
 	level, levelErr := zerolog.ParseLevel(c.String(logger.LogLevelFlag))
 	if levelErr != nil {
 		level = zerolog.InfoLevel
 	}
 	log := zerolog.New(zerolog.ConsoleWriter{
 		Out:        colorable.NewColorable(os.Stderr),
 		TimeFormat: time.RFC3339,
 	}).With().Timestamp().Logger().Level(level)
 	return &log
 }
 // parseFilters will attempt to parse provided filters to send to with the EventStartStreaming
 func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 	var level *management.LogLevel
 	var events []management.LogEventType
 	var sample float64
 	argLevel := c.String("level")
 	argEvents := c.StringSlice("event")
 	argSample := c.Float64("sample")
 	if argLevel != "" {
 		l, ok := management.ParseLogLevel(argLevel)
 		if !ok {
 			return nil, fmt.Errorf("invalid --level filter provided, please use one of the following Log Levels: debug, info, warn, error")
 		}
 		level = &l
 	}
 	for _, v := range argEvents {
 		t, ok := management.ParseLogEventType(v)
 		if !ok {
 			return nil, fmt.Errorf("invalid --event filter provided, please use one of the following EventTypes: cloudflared, http, tcp, udp")
 		}
 		events = append(events, t)
 	}
 	if argSample <= 0.0 || argSample > 1.0 {
 		return nil, fmt.Errorf("invalid --sample value provided, please make sure it is in the range (0.0 .. 1.0)")
 	}
 	sample = argSample
 	if level == nil && len(events) == 0 && argSample != 1.0 {
 		// When no filters are provided, do not return a StreamingFilters struct
 		return nil, nil
 	}
 	return &management.StreamingFilters{
 		Level:    level,
 		Events:   events,
 		Sampling: sample,
 	}, nil
 }
 // getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
 func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 	userCreds, err := credentials.Read(c.String(credentials.OriginCertFlag), log)
 	if err != nil {
 		return "", err
 	}
 	client, err := userCreds.Client(c.String("api-url"), buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
 	tunnelIDString := c.Args().First()
 	if tunnelIDString == "" {
 		return "", errors.New("no tunnel ID provided")
 	}
 	tunnelID, err := uuid.Parse(tunnelIDString)
 	if err != nil {
 		return "", errors.New("unable to parse provided tunnel id as a valid UUID")
 	}
 	token, err := client.GetManagementToken(tunnelID)
 	if err != nil {
 		return "", err
 	}
 	return token, nil
 }
 // buildURL will build the management url to contain the required query parameters to authenticate the request.
 func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 	var err error
 	managementHostname := c.String("management-hostname")
 	token := c.String("token")
 	if token == "" {
 		token, err = getManagementToken(c, log)
 		if err != nil {
 			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
 		}
 	}
 	query := url.Values{}
 	query.Add("access_token", token)
 	connector := c.String("connector-id")
 	if connector != "" {
 		connectorID, err := uuid.Parse(connector)
 		if err != nil {
 			return url.URL{}, fmt.Errorf("unabled to parse 'connector-id' flag into a valid UUID: %w", err)
 		}
 		query.Add("connector_id", connectorID.String())
 	}
 	return url.URL{Scheme: "wss", Host: managementHostname, Path: "/logs", RawQuery: query.Encode()}, nil
 }
 func printLine(log *management.Log, logger *zerolog.Logger) {
 	fields, err := json.Marshal(log.Fields)
 	if err != nil {
 		fields = []byte("unable to parse fields")
 		logger.Debug().Msgf("unable to parse fields from event %+v", log)
 	}
 	fmt.Printf("%s %s %s %s %s\n", log.Time, log.Level, log.Event, log.Message, fields)
 }
 func printJSON(log *management.Log, logger *zerolog.Logger) {
 	output, err := json.Marshal(log)
 	if err != nil {
 		logger.Debug().Msgf("unable to parse event to json %+v", log)
 	} else {
 		fmt.Println(string(output))
 	}
 }
 // Run implements a foreground runner
 func Run(c *cli.Context) error {
 	log := createLogger(c)
 	signals := make(chan os.Signal, 10)
 	signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
 	defer signal.Stop(signals)
 	output := "default"
 	switch c.String("output") {
 	case "default", "":
 		output = "default"
 	case "json":
 		output = "json"
 	default:
 		log.Err(errors.New("invalid --output value provided, please make sure it is one of: default, json")).Send()
 	}
 	filters, err := parseFilters(c)
 	if err != nil {
 		log.Error().Err(err).Msgf("invalid filters provided")
 		return nil
 	}
 	u, err := buildURL(c, log)
 	if err != nil {
 		log.Err(err).Msg("unable to construct management request URL")
 		return nil
 	}
 	header := make(http.Header)
 	header.Add("User-Agent", buildInfo.UserAgent())
 	trace := c.String("trace")
 	if trace != "" {
 		header["cf-trace-id"] = []string{trace}
 	}
 	ctx := c.Context
 	conn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
 		HTTPHeader: header,
 	})
 	if err != nil {
 		if resp != nil && resp.StatusCode != http.StatusSwitchingProtocols {
 			handleValidationError(resp, log)
 			return nil
 		}
 		log.Error().Err(err).Msgf("unable to start management log streaming session")
 		return nil
 	}
 	defer conn.Close(websocket.StatusInternalError, "management connection was closed abruptly")
 	// Once connection is established, send start_streaming event to begin receiving logs
 	err = management.WriteEvent(conn, ctx, &management.EventStartStreaming{
 		ClientEvent: management.ClientEvent{Type: management.StartStreaming},
 		Filters:     filters,
 	})
 	if err != nil {
 		log.Error().Err(err).Msg("unable to request logs from management tunnel")
 		return nil
 	}
 	log.Debug().
 		Str("tunnel-id", c.Args().First()).
 		Str("connector-id", c.String("connector-id")).
 		Interface("filters", filters).
 		Msg("connected")
 	readerDone := make(chan struct{})
 	go func() {
 		defer close(readerDone)
 		for {
 			select {
 			case <-ctx.Done():
 				return
 			default:
 				event, err := management.ReadServerEvent(conn, ctx)
 				if err != nil {
 					if closeErr := management.AsClosed(err); closeErr != nil {
 						// If the client (or the server) already closed the connection, don't continue to
 						// attempt to read from the client.
 						if closeErr.Code == websocket.StatusNormalClosure {
 							return
 						}
 						// Only log abnormal closures
 						log.Error().Msgf("received remote closure: (%d) %s", closeErr.Code, closeErr.Reason)
 						return
 					}
 					log.Err(err).Msg("unable to read event from server")
 					return
 				}
 				switch event.Type {
 				case management.Logs:
 					logs, ok := management.IntoServerEvent(event, management.Logs)
 					if !ok {
 						log.Error().Msgf("invalid logs event")
 						continue
 					}
 					// Output all the logs received to stdout
 					for _, l := range logs.Logs {
 						if output == "json" {
 							printJSON(l, log)
 						} else {
 							printLine(l, log)
 						}
 					}
 				case management.UnknownServerEventType:
 					fallthrough
 				default:
 					log.Debug().Msgf("unexpected log event type: %s", event.Type)
 				}
 			}
 		}
 	}()
 	for {
 		select {
 		case <-ctx.Done():
 			return nil
 		case <-readerDone:
 			return nil
 		case <-signals:
 			log.Debug().Msg("closing management connection")
 			// Cleanly close the connection by sending a close message and then
 			// waiting (with timeout) for the server to close the connection.
 			conn.Close(websocket.StatusNormalClosure, "")
 			select {
 			case <-readerDone:
 			case <-time.After(time.Second):
 			}
 			return nil
 		}
 	}
 }
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@ -4,6 +4,7 @@ import (
 	"bufio"
 	"context"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"runtime/trace"
@ -11,43 +12,35 @@ import (
 	"sync"
 	"time"
-	"github.com/coreos/go-systemd/v22/daemon"
+	"github.com/coreos/go-systemd/daemon"
 	"github.com/facebookgo/grace/gracenet"
-	"github.com/getsentry/sentry-go"
+	"github.com/getsentry/raven-go"
 	"github.com/google/uuid"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
-	"github.com/cloudflare/cloudflared/cfapi"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/buildinfo"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/ui"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
 	"github.com/cloudflare/cloudflared/metrics"
-	"github.com/cloudflare/cloudflared/orchestration"
+	"github.com/cloudflare/cloudflared/origin"
 	"github.com/cloudflare/cloudflared/signal"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	"github.com/cloudflare/cloudflared/tunneldns"
-	"github.com/cloudflare/cloudflared/validation"
+	"github.com/cloudflare/cloudflared/tunnelstore"
 )
 const (
 	sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b:3e8827f6f9f740738eb11138f7bebb68@sentry.io/189878"
 	// ha-Connections specifies how many connections to make to the edge
 	haConnectionsFlag = "ha-connections"
 	// sshPortFlag is the port on localhost the cloudflared ssh server will run on
 	sshPortFlag = "local-ssh-port"
@ -78,53 +71,26 @@ const (
 	// hostKeyPath is the path of the dir to save SSH host keys too
 	hostKeyPath = "host-key-path"
 	// rpcTimeout is how long to wait for a Capnp RPC request to the edge
 	rpcTimeout = "rpc-timeout"
 	// writeStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).
 	writeStreamTimeout = "write-stream-timeout"
 	// quicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
 	// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
 	// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
 	quicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
 	// quicConnLevelFlowControlLimit controls the max flow control limit allocated for a QUIC connection. This controls how much data is the
 	// receiver willing to buffer. Once the limit is reached, the sender will send a DATA_BLOCKED frame to indicate it has more data to write,
 	// but it's blocked by flow control
 	quicConnLevelFlowControlLimit = "quic-connection-level-flow-control-limit"
 	// quicStreamLevelFlowControlLimit is similar to quicConnLevelFlowControlLimit but for each QUIC stream. When the sender is blocked,
 	// it will send a STREAM_DATA_BLOCKED frame
 	quicStreamLevelFlowControlLimit = "quic-stream-level-flow-control-limit"
 	// uiFlag is to enable launching cloudflared in interactive UI mode
 	uiFlag = "ui"
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
 	LogFieldCommand             = "command"
 	LogFieldExpandedPath        = "expandedPath"
 	LogFieldPIDPathname         = "pidPathname"
 	LogFieldTmpTraceFilename    = "tmpTraceFilename"
 	LogFieldTraceOutputFilepath = "traceOutputFilepath"
 	tunnelCmdErrorMessage = `You did not specify any valid additional argument to the cloudflared tunnel command.
 If you are trying to run a Quick Tunnel then you need to explicitly pass the --url flag.
 Eg. cloudflared tunnel --url localhost:8080/.
 Please note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes.
 For production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)
 `
 	connectorLabelFlag = "label"
 )
 var (
 	graceShutdownC chan struct{}
-	buildInfo      *cliutil.BuildInfo
+	version        string
 	routeFailMsg = fmt.Sprintf("failed to provision routing, please create it manually via Cloudflare dashboard or UI; "+
 		"most likely you already have a conflicting record there. You can also rerun this command with --%s to overwrite "+
 		"any existing DNS records for this hostname.", overwriteDNSFlag)
 	deprecatedClassicTunnelErr = fmt.Errorf("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
 )
 func Flags() []cli.Flag {
@ -136,14 +102,12 @@ func Commands() []*cli.Command {
 		buildLoginSubcommand(false),
 		buildCreateCommand(),
 		buildRouteCommand(),
 		buildVirtualNetworkSubcommand(false),
 		buildRunCommand(),
 		buildListCommand(),
 		buildInfoCommand(),
 		buildIngressSubcommand(),
 		buildDeleteCommand(),
 		buildCleanupCommand(),
 		buildTokenCommand(),
 		// for compatibility, allow following as tunnel subcommands
 		proxydns.Command(true),
 		cliutil.RemovedCommand("db-connect"),
@ -162,34 +126,26 @@ func buildTunnelCommand(subcommands []*cli.Command) *cli.Command {
 		Name:      "tunnel",
 		Action:    cliutil.ConfiguredAction(TunnelCommand),
 		Category:  "Tunnel",
-		Usage:     "Use Cloudflare Tunnel to expose private services to the Internet or to Cloudflare connected private users.",
+		Usage:     "Make a locally-running web service accessible over the internet using Argo Tunnel.",
 		ArgsUsage: " ",
-		Description: `    Cloudflare Tunnel allows to expose private services without opening any ingress port on this machine. It can expose:
+		Description: `Argo Tunnel asks you to specify a hostname on a Cloudflare-powered
-  A) Locally reachable HTTP-based private services to the Internet on DNS with Cloudflare as authority (which you can
+		domain you control and a local address. Traffic from that hostname is routed
-then protect with Cloudflare Access).
+		(optionally via a Cloudflare Load Balancer) to this machine and appears on the
-  B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,
+		specified port where it can be served.
 those enrolled to a Zero Trust WARP Client.
-You can manage your Tunnels via dash.teams.cloudflare.com. This approach will only require you to run a single command
+		This feature requires your Cloudflare account be subscribed to the Argo Smart Routing feature.
 later in each machine where you wish to run a Tunnel.
-Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:
+		To use, begin by calling login to download a certificate:
-	$ cloudflared tunnel login
+			$ cloudflared tunnel login
-With your certificate installed you can then get started with Tunnels:
+		With your certificate installed you can then launch your first tunnel,
 		replacing my.site.com with a subdomain of your site:
-	$ cloudflared tunnel create my-first-tunnel
+			$ cloudflared tunnel --hostname my.site.com --url http://localhost:8080
 	$ cloudflared tunnel route dns my-first-tunnel my-first-tunnel.mydomain.com
 	$ cloudflared tunnel run --hello-world my-first-tunnel
-You can now access my-first-tunnel.mydomain.com and be served an example page by your local cloudflared process.
+		If you have a web server running on port 8080 (in this example), it will be available on
-
+		the internet!`,
 For exposing local TCP/UDP services by IP to your privately connected users, check out:
 	$ cloudflared tunnel route ip --help
 See https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/ for more info.`,
 		Subcommands: subcommands,
 		Flags:       tunnelFlags(false),
 	}
@ -200,66 +156,32 @@ func TunnelCommand(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-
+	if name := c.String("name"); name != "" { // Start a named tunnel
 	// Run a adhoc named tunnel
 	// Allows for the creation, routing (optional), and startup of a tunnel in one command
 	// --name required
 	// --url or --hello-world required
 	// --hostname optional
 	if name := c.String("name"); name != "" {
 		hostname, err := validation.ValidateHostname(c.String("hostname"))
 		if err != nil {
 			return errors.Wrap(err, "Invalid hostname provided")
 		}
 		url := c.String("url")
 		if url == hostname && url != "" && hostname != "" {
 			return fmt.Errorf("hostname and url shouldn't match. See --help for more information")
 		}
 		return runAdhocNamedTunnel(sc, name, c.String(CredFileFlag))
 	}
 	// Run a quick tunnel
 	// A unauthenticated named tunnel hosted on <random>.<quick-tunnels-service>.com
 	// We don't support running proxy-dns and a quick tunnel at the same time as the same process
 	shouldRunQuickTunnel := c.IsSet("url") || c.IsSet(ingress.HelloWorldFlag)
 	if !c.IsSet("proxy-dns") && c.String("quick-service") != "" && shouldRunQuickTunnel {
 		return RunQuickTunnel(sc)
 	}
 	// If user provides a config, check to see if they meant to use `tunnel run` instead
 	if ref := config.GetConfiguration().TunnelID; ref != "" {
 		return fmt.Errorf("Use `cloudflared tunnel run` to start tunnel %s", ref)
 	}
-	// Classic tunnel usage is no longer supported
+	// Unauthenticated named tunnel on <random>.<quick-tunnels-service>.com
-	if c.String("hostname") != "" {
+	// For now, default to legacy setup unless quick-service is specified
-		return deprecatedClassicTunnelErr
+	if !dnsProxyStandAlone(c, nil) && c.String("hostname") == "" && c.String("quick-service") != "" {
 		return RunQuickTunnel(sc)
 	}
-	if c.IsSet("proxy-dns") {
+	// Start a classic tunnel
-		if shouldRunQuickTunnel {
+	return runClassicTunnel(sc)
 			return fmt.Errorf("running a quick tunnel with `proxy-dns` is not supported")
 		}
 		// NamedTunnelProperties are nil since proxy dns server does not need it.
 		// This is supported for legacy reasons: dns proxy server is not a tunnel and ideally should
 		// not run as part of cloudflared tunnel.
 		return StartServer(sc.c, buildInfo, nil, sc.log)
 	}
 	return errors.New(tunnelCmdErrorMessage)
 }
-func Init(info *cliutil.BuildInfo, gracefulShutdown chan struct{}) {
+func Init(ver string, gracefulShutdown chan struct{}) {
-	buildInfo, graceShutdownC = info, gracefulShutdown
+	version, graceShutdownC = ver, gracefulShutdown
 }
 // runAdhocNamedTunnel create, route and run a named tunnel in one command
 func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath string) error {
 	tunnel, ok, err := sc.tunnelActive(name)
 	if err != nil || !ok {
-		// pass empty string as secret to generate one
+		tunnel, err = sc.create(name, credentialsOutputPath)
 		tunnel, err = sc.create(name, credentialsOutputPath, "")
 		if err != nil {
 			return errors.Wrap(err, "failed to create tunnel")
 		}
@ -282,40 +204,39 @@ func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath stri
 	return nil
 }
-func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
+// runClassicTunnel creates a "classic" non-named tunnel
 func runClassicTunnel(sc *subcommandContext) error {
 	return StartServer(sc.c, version, nil, sc.log, sc.isUIEnabled)
 }
 func routeFromFlag(c *cli.Context) (route tunnelstore.Route, ok bool) {
 	if hostname := c.String("hostname"); hostname != "" {
 		if lbPool := c.String("lb-pool"); lbPool != "" {
-			return cfapi.NewLBRoute(hostname, lbPool), true
+			return tunnelstore.NewLBRoute(hostname, lbPool), true
 		}
-		return cfapi.NewDNSRoute(hostname, c.Bool(overwriteDNSFlagName)), true
+		return tunnelstore.NewDNSRoute(hostname, c.Bool(overwriteDNSFlagName)), true
 	}
 	return nil, false
 }
 func StartServer(
 	c *cli.Context,
-	info *cliutil.BuildInfo,
+	version string,
-	namedTunnel *connection.TunnelProperties,
+	namedTunnel *connection.NamedTunnelConfig,
 	log *zerolog.Logger,
 	isUIEnabled bool,
 ) error {
-	err := sentry.Init(sentry.ClientOptions{
+	_ = raven.SetDSN(sentryDSN)
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
 	var wg sync.WaitGroup
 	listeners := gracenet.Net{}
 	errC := make(chan error)
-	// Only log for locally configured tunnels (Token is blank).
+	if config.GetConfiguration().Source() == "" {
 	if config.GetConfiguration().Source() == "" && c.String(TunnelTokenFlag) == "" {
 		log.Info().Msg(config.ErrNoConfigFile.Error())
 	}
 	if c.IsSet("trace-output") {
-		tmpTraceFile, err := os.CreateTemp("", "trace")
+		tmpTraceFile, err := ioutil.TempFile("", "trace")
 		if err != nil {
 			log.Err(err).Msg("Failed to create new temporary file to save trace output")
 		}
@ -347,11 +268,12 @@ func StartServer(
 		defer trace.Stop()
 	}
-	info.Log(log)
+	buildInfo := buildinfo.GetBuildInfo(version)
 	buildInfo.Log(log)
 	logClientOptions(c, log)
 	// this context drives the server, when it's cancelled tunnel and all other components (origins, dns, etc...) should stop
-	ctx, cancel := context.WithCancel(c.Context)
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	go waitForSignal(graceShutdownC, log)
@ -383,16 +305,24 @@ func StartServer(
 		errC <- autoupdater.Run(ctx)
 	}()
-	// Serve DNS proxy stand-alone if no tunnel type (quick, adhoc, named) is going to run
+	// Serve DNS proxy stand-alone if no hostname or tag or app is going to run
 	if dnsProxyStandAlone(c, namedTunnel) {
 		connectedSignal.Notify()
 		// no grace period, handle SIGINT/SIGTERM immediately
 		return waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, log)
 	}
-	logTransport := logger.CreateTransportLoggerFromContext(c, logger.EnableTerminalLog)
+	url := c.String("url")
 	hostname := c.String("hostname")
 	if url == hostname && url != "" && hostname != "" {
 		errText := "hostname and url shouldn't match. See --help for more information"
 		log.Error().Msg(errText)
 		return fmt.Errorf(errText)
 	}
-	observer := connection.NewObserver(log, logTransport)
+	logTransport := logger.CreateTransportLoggerFromContext(c, isUIEnabled)
 	observer := connection.NewObserver(log, logTransport, isUIEnabled)
 	// Send Quick Tunnel URL to UI if applicable
 	var quickTunnelURL string
@ -403,49 +333,11 @@ func StartServer(
 		observer.SendURL(quickTunnelURL)
 	}
-	tunnelConfig, orchestratorConfig, err := prepareTunnelConfig(ctx, c, info, log, logTransport, observer, namedTunnel)
+	tunnelConfig, ingressRules, err := prepareTunnelConfig(c, buildInfo, version, log, logTransport, observer, namedTunnel)
 	if err != nil {
 		log.Err(err).Msg("Couldn't start tunnel")
 		return err
 	}
 	var clientID uuid.UUID
 	if tunnelConfig.NamedTunnel != nil {
 		clientID, err = uuid.FromBytes(tunnelConfig.NamedTunnel.Client.ClientID)
 		if err != nil {
 			// set to nil for classic tunnels
 			clientID = uuid.Nil
 		}
 	}
 	// Disable ICMP packet routing for quick tunnels
 	if quickTunnelURL != "" {
 		tunnelConfig.PacketConfig = nil
 	}
 	internalRules := []ingress.Rule{}
 	if features.Contains(features.FeatureManagementLogs) {
 		serviceIP := c.String("service-op-ip")
 		if edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {
 			if serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {
 				serviceIP = serviceAddr.TCP.String()
 			}
 		}
 		mgmt := management.New(
 			c.String("management-hostname"),
 			c.Bool("management-diagnostics"),
 			serviceIP,
 			clientID,
 			c.String(connectorLabelFlag),
 			logger.ManagementLogger.Log,
 			logger.ManagementLogger,
 		)
 		internalRules = []ingress.Rule{ingress.NewManagementRule(mgmt)}
 	}
 	orchestrator, err := orchestration.NewOrchestrator(ctx, orchestratorConfig, tunnelConfig.Tags, internalRules, tunnelConfig.Log)
 	if err != nil {
 		return err
 	}
 	metricsListener, err := listeners.Listen("tcp", c.String("metrics"))
 	if err != nil {
@ -456,17 +348,16 @@ func StartServer(
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		readinessServer := metrics.NewReadyServer(log, clientID)
+		readinessServer := metrics.NewReadyServer(log)
 		observer.RegisterSink(readinessServer)
-		metricsConfig := metrics.Config{
+		errC <- metrics.ServeMetrics(metricsListener, ctx.Done(), readinessServer, quickTunnelURL, log)
 			ReadyServer:         readinessServer,
 			QuickTunnelHostname: quickTunnelURL,
 			Orchestrator:        orchestrator,
 		}
 		errC <- metrics.ServeMetrics(metricsListener, ctx, metricsConfig, log)
 	}()
-	reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(haConnectionsFlag))
+	if err := ingressRules.StartOrigins(&wg, log, ctx.Done(), errC); err != nil {
 		return err
 	}
 	reconnectCh := make(chan origin.ReconnectSignal, 1)
 	if c.IsSet("stdin-control") {
 		log.Info().Msg("Enabling control through stdin")
 		go stdinControl(reconnectCh, log)
@ -478,14 +369,22 @@ func StartServer(
 			wg.Done()
 			log.Info().Msg("Tunnel server stopped")
 		}()
-		errC <- supervisor.StartTunnelDaemon(ctx, tunnelConfig, orchestrator, connectedSignal, reconnectCh, graceShutdownC)
+		errC <- origin.StartTunnelDaemon(ctx, tunnelConfig, connectedSignal, reconnectCh, graceShutdownC)
 	}()
-	gracePeriod, err := gracePeriod(c)
+	if isUIEnabled {
-	if err != nil {
+		tunnelUI := ui.NewUIModel(
-		return err
+			version,
 			hostname,
 			metricsListener.Addr().String(),
 			&ingressRules,
 			tunnelConfig.HAConnections,
 		)
 		app := tunnelUI.Launch(ctx, log, logTransport)
 		observer.RegisterSink(app)
 	}
-	return waitToShutdown(&wg, cancel, errC, graceShutdownC, gracePeriod, log)
+
 	return waitToShutdown(&wg, cancel, errC, graceShutdownC, c.Duration("grace-period"), log)
 }
 func waitToShutdown(wg *sync.WaitGroup,
@ -579,13 +478,13 @@ func addPortIfMissing(uri *url.URL, port int) string {
 func tunnelFlags(shouldHide bool) []cli.Flag {
 	flags := configureCloudflaredFlags(shouldHide)
 	flags = append(flags, configureProxyFlags(shouldHide)...)
-	flags = append(flags, cliutil.ConfigureLoggingFlags(shouldHide)...)
+	flags = append(flags, configureLoggingFlags(shouldHide)...)
 	flags = append(flags, configureProxyDNSFlags(shouldHide)...)
 	flags = append(flags, []cli.Flag{
 		credentialsFileFlag,
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:   "is-autoupdated",
-			Usage:  "Signal the new process that Cloudflare Tunnel connector has been autoupdated",
+			Usage:  "Signal the new process that Argo Tunnel connector has been autoupdated",
 			Value:  false,
 			Hidden: true,
 		}),
@ -600,19 +499,6 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Usage:   "Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region.",
 			EnvVars: []string{"TUNNEL_REGION"},
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "edge-ip-version",
 			Usage:   "Cloudflare Edge IP address version to connect with. {4, 6, auto}",
 			EnvVars: []string{"TUNNEL_EDGE_IP_VERSION"},
 			Value:   "4",
 			Hidden:  false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "edge-bind-address",
 			Usage:   "Bind to IP address for outgoing connections to Cloudflare Edge.",
 			EnvVars: []string{"TUNNEL_EDGE_BIND_ADDRESS"},
 			Hidden:  false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    tlsconfig.CaCertFlag,
 			Usage:   "Certificate Authority authenticating connections with Cloudflare's edge network.",
@ -671,9 +557,9 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
 			Name:    "tag",
-			Usage:   "Custom tags used to identify this tunnel via added HTTP request headers to the origin, in format `KEY=VALUE`. Multiple tags may be specified.",
+			Usage:   "Custom tags used to identify this tunnel, in format `KEY=VALUE`. Multiple tags may be specified",
 			EnvVars: []string{"TUNNEL_TAG"},
-			Hidden:  true,
+			Hidden:  shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:   "heartbeat-interval",
@ -688,12 +574,6 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Value:  5,
 			Hidden: true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:   "max-edge-addr-retries",
 			Usage:  "Maximum number of times to retry on edge addrs before falling back to a lower protocol",
 			Value:  8,
 			Hidden: true,
 		}),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:    "retries",
@ -703,48 +583,10 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:   haConnectionsFlag,
+			Name:   "ha-connections",
 			Value:  4,
 			Hidden: true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:   rpcTimeout,
 			Value:  5 * time.Second,
 			Hidden: true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:    writeStreamTimeout,
 			EnvVars: []string{"TUNNEL_STREAM_WRITE_TIMEOUT"},
 			Usage:   "Use this option to add a stream write timeout for connections when writing towards the origin or edge. Default is 0 which disables the write timeout.",
 			Value:   0 * time.Second,
 			Hidden:  true,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    quicDisablePathMTUDiscovery,
 			EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"},
 			Usage:   "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.",
 			Value:   false,
 			Hidden:  true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:    quicConnLevelFlowControlLimit,
 			EnvVars: []string{"TUNNEL_QUIC_CONN_LEVEL_FLOW_CONTROL_LIMIT"},
 			Usage:   "Use this option to change the connection-level flow control limit for QUIC transport.",
 			Value:   30 * (1 << 20), // 30 MB
 			Hidden:  true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:    quicStreamLevelFlowControlLimit,
 			EnvVars: []string{"TUNNEL_QUIC_STREAM_LEVEL_FLOW_CONTROL_LIMIT"},
 			Usage:   "Use this option to change the connection-level flow control limit for QUIC transport.",
 			Value:   6 * (1 << 20), // 6 MB
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:  connectorLabelFlag,
 			Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.",
 			Value: "",
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:    "grace-period",
 			Usage:   "When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received.",
@ -790,9 +632,9 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:   uiFlag,
-			Usage:  "(depreciated) Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.",
+			Usage:  "Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.",
 			Value:  false,
-			Hidden: true,
+			Hidden: shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:   "quick-service",
@ -800,25 +642,6 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Value:  "https://api.trycloudflare.com",
 			Hidden: true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:    "max-fetch-size",
 			Usage:   `The maximum number of results that cloudflared can fetch from Cloudflare API for any listing operations needed`,
 			EnvVars: []string{"TUNNEL_MAX_FETCH_SIZE"},
 			Hidden:  true,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    "post-quantum",
 			Usage:   "When given creates an experimental post-quantum secure tunnel",
 			Aliases: []string{"pq"},
 			EnvVars: []string{"TUNNEL_POST_QUANTUM"},
 			Hidden:  FipsEnabled,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    "management-diagnostics",
 			Usage:   "Enables the in-depth diagnostic routes to be made available over the management service (/debug/pprof, /metrics, etc.)",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_DIAGNOSTICS"},
 			Value:   true,
 		}),
 		selectProtocolFlag,
 		overwriteDNSFlag,
 	}...)
@ -836,10 +659,10 @@ func configureCloudflaredFlags(shouldHide bool) []cli.Flag {
 			Hidden: shouldHide,
 		},
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    credentials.OriginCertFlag,
+			Name:    "origincert",
 			Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 			EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
-			Value:   credentials.FindDefaultOriginCertPath(),
+			Value:   findDefaultOriginCertPath(),
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
@ -881,7 +704,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    ingress.HelloWorldFlag,
+			Name:    "hello-world",
 			Value:   false,
 			Usage:   "Run Hello World Server",
 			EnvVars: []string{"TUNNEL_HELLO_WORLD"},
@ -889,43 +712,43 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    ingress.Socks5Flag,
-			Usage:   legacyTunnelFlag("specify if this tunnel is running as a SOCK5 Server"),
+			Usage:   "specify if this tunnel is running as a SOCK5 Server",
 			EnvVars: []string{"TUNNEL_SOCKS"},
 			Value:   false,
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:   ingress.ProxyConnectTimeoutFlag,
-			Usage:  legacyTunnelFlag("HTTP proxy timeout for establishing a new connection"),
+			Usage:  "HTTP proxy timeout for establishing a new connection",
 			Value:  time.Second * 30,
 			Hidden: shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:   ingress.ProxyTLSTimeoutFlag,
-			Usage:  legacyTunnelFlag("HTTP proxy timeout for completing a TLS handshake"),
+			Usage:  "HTTP proxy timeout for completing a TLS handshake",
 			Value:  time.Second * 10,
 			Hidden: shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:   ingress.ProxyTCPKeepAliveFlag,
-			Usage:  legacyTunnelFlag("HTTP proxy TCP keepalive duration"),
+			Usage:  "HTTP proxy TCP keepalive duration",
 			Value:  time.Second * 30,
 			Hidden: shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:   ingress.ProxyNoHappyEyeballsFlag,
-			Usage:  legacyTunnelFlag("HTTP proxy should disable \"happy eyeballs\" for IPv4/v6 fallback"),
+			Usage:  "HTTP proxy should disable \"happy eyeballs\" for IPv4/v6 fallback",
 			Hidden: shouldHide,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:   ingress.ProxyKeepAliveConnectionsFlag,
-			Usage:  legacyTunnelFlag("HTTP proxy maximum keepalive connection pool size"),
+			Usage:  "HTTP proxy maximum keepalive connection pool size",
 			Value:  100,
 			Hidden: shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:   ingress.ProxyKeepAliveTimeoutFlag,
-			Usage:  legacyTunnelFlag("HTTP proxy timeout for closing an idle connection"),
+			Usage:  "HTTP proxy timeout for closing an idle connection",
 			Value:  time.Second * 90,
 			Hidden: shouldHide,
 		}),
@ -943,13 +766,13 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    ingress.HTTPHostHeaderFlag,
-			Usage:   legacyTunnelFlag("Sets the HTTP Host header for the local webserver."),
+			Usage:   "Sets the HTTP Host header for the local webserver.",
 			EnvVars: []string{"TUNNEL_HTTP_HOST_HEADER"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    ingress.OriginServerNameFlag,
-			Usage:   legacyTunnelFlag("Hostname on the origin server certificate."),
+			Usage:   "Hostname on the origin server certificate.",
 			EnvVars: []string{"TUNNEL_ORIGIN_SERVER_NAME"},
 			Hidden:  shouldHide,
 		}),
@ -961,56 +784,26 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    tlsconfig.OriginCAPoolFlag,
-			Usage:   legacyTunnelFlag("Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare."),
+			Usage:   "Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.",
 			EnvVars: []string{"TUNNEL_ORIGIN_CA_POOL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    ingress.NoTLSVerifyFlag,
-			Usage:   legacyTunnelFlag("Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Note: The connection from your machine to Cloudflare's Edge is still encrypted."),
+			Usage:   "Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Note: The connection from your machine to Cloudflare's Edge is still encrypted.",
 			EnvVars: []string{"NO_TLS_VERIFY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    ingress.NoChunkedEncodingFlag,
-			Usage:   legacyTunnelFlag("Disables chunked transfer encoding; useful if you are running a WSGI server."),
+			Usage:   "Disables chunked transfer encoding; useful if you are running a WSGI server.",
 			EnvVars: []string{"TUNNEL_NO_CHUNKED_ENCODING"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    ingress.Http2OriginFlag,
 			Usage:   "Enables HTTP/2 origin servers.",
 			EnvVars: []string{"TUNNEL_ORIGIN_ENABLE_HTTP2"},
 			Hidden:  shouldHide,
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "management-hostname",
 			Usage:   "Management hostname to signify incoming management requests",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 			Hidden:  true,
 			Value:   "management.argotunnel.com",
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "service-op-ip",
 			Usage:   "Fallback IP for service operations run by the management service.",
 			EnvVars: []string{"TUNNEL_SERVICE_OP_IP"},
 			Hidden:  true,
 			Value:   "198.41.200.113:80",
 		}),
 	}
 	return append(flags, sshFlags(shouldHide)...)
 }
 func legacyTunnelFlag(msg string) string {
 	return fmt.Sprintf(
 		"%s This flag only takes effect if you define your origin with `--url` and if you do not use ingress rules."+
 			" The recommended way is to rely on ingress rules and define this property under `originRequest` as per"+
 			" https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress",
 		msg,
 	)
 }
 func sshFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
@ -1106,6 +899,44 @@ func sshFlags(shouldHide bool) []cli.Flag {
 	}
 }
 func configureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogLevelFlag,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogTransportLevelFlag,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
 			EnvVars: []string{"TUNNEL_PROTO_LOGLEVEL", "TUNNEL_TRANSPORT_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogFileFlag,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogDirectoryFlag,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "trace-output",
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
 	}
 }
 func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewBoolFlag(&cli.BoolFlag{
@ -1157,7 +988,7 @@ func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
 	}
 }
-func stdinControl(reconnectCh chan supervisor.ReconnectSignal, log *zerolog.Logger) {
+func stdinControl(reconnectCh chan origin.ReconnectSignal, log *zerolog.Logger) {
 	for {
 		scanner := bufio.NewScanner(os.Stdin)
 		for scanner.Scan() {
@ -1168,7 +999,7 @@ func stdinControl(reconnectCh chan supervisor.ReconnectSignal, log *zerolog.Logg
 			case "":
 				break
 			case "reconnect":
-				var reconnect supervisor.ReconnectSignal
+				var reconnect origin.ReconnectSignal
 				if len(parts) > 1 {
 					var err error
 					if reconnect.Delay, err = time.ParseDuration(parts[1]); err != nil {
--- a/cmd/cloudflared/tunnel/config_test.go
+++ b/cmd/cloudflared/tunnel/config_test.go
@ -4,12 +4,10 @@ import (
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/features"
 )
 func TestDedup(t *testing.T) {
 	expected := []string{"a", "b"}
-	actual := features.Dedup([]string{"a", "b", "a"})
+	actual := dedup([]string{"a", "b", "a"})
 	require.ElementsMatch(t, expected, actual)
 }
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@ -1,50 +1,55 @@
 package tunnel
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"net"
+	"io/ioutil"
 	"net/netip"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/google/uuid"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
-	"github.com/urfave/cli/v2/altsrc"
+	"golang.org/x/crypto/ssh/terminal"
 	"golang.org/x/term"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/buildinfo"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/edgediscovery"
-	"github.com/cloudflare/cloudflared/edgediscovery/allregions"
+	"github.com/cloudflare/cloudflared/h2mux"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
-	"github.com/cloudflare/cloudflared/orchestration"
+	"github.com/cloudflare/cloudflared/origin"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
-	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 	"github.com/cloudflare/cloudflared/validation"
 )
-const (
+const LogFieldOriginCertPath = "originCertPath"
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
 )
 var (
-	developerPortal = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup"
+	developerPortal = "https://developers.cloudflare.com/argo-tunnel"
-	serviceUrl      = developerPortal + "/tunnel-guide/local/as-a-service/"
+	quickStartUrl   = developerPortal + "/quickstart/quickstart/"
-	argumentsUrl    = developerPortal + "/tunnel-guide/local/local-management/arguments/"
+	serviceUrl      = developerPortal + "/reference/service/"
 	argumentsUrl    = developerPortal + "/reference/arguments/"
-	secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
+	LogFieldHostname = "hostname"
 	configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address"}
 )
 // returns the first path that contains a cert.pem file. If none of the DefaultConfigSearchDirectories
 // contains a cert.pem file, return empty string
 func findDefaultOriginCertPath() string {
 	for _, defaultConfigDir := range config.DefaultConfigSearchDirectories() {
 		originCertPath, _ := homedir.Expand(filepath.Join(defaultConfigDir, config.DefaultCredentialFile))
 		if ok, _ := config.FileExists(originCertPath); ok {
 			return originCertPath
 		}
 	}
 	return ""
 }
 func generateRandomClientID(log *zerolog.Logger) (string, error) {
 	u, err := uuid.NewRandom()
 	if err != nil {
@ -57,11 +62,7 @@ func generateRandomClientID(log *zerolog.Logger) (string, error) {
 func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 	flags := make(map[string]interface{})
 	for _, flag := range c.FlagNames() {
-		if isSecretFlag(flag) {
+		flags[flag] = c.Generic(flag)
 			flags[flag] = secretValue
 		} else {
 			flags[flag] = c.Generic(flag)
 		}
 	}
 	if len(flags) > 0 {
@ -75,11 +76,7 @@ func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 		if strings.Contains(env, "TUNNEL_") {
 			vars := strings.Split(env, "=")
 			if len(vars) == 2 {
-				if isSecretEnvVar(vars[0]) {
+				envs[vars[0]] = vars[1]
 					envs[vars[0]] = secretValue
 				} else {
 					envs[vars[0]] = vars[1]
 				}
 			}
 		}
 	}
@ -88,99 +85,161 @@ func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 	}
 }
-func isSecretFlag(key string) bool {
+func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.NamedTunnelConfig) bool {
-	for _, flag := range secretFlags {
+	return c.IsSet("proxy-dns") && (!c.IsSet("hostname") && !c.IsSet("tag") && !c.IsSet("hello-world") && namedTunnel == nil)
 		if flag.Name == key {
 			return true
 		}
 	}
 	return false
 }
-func isSecretEnvVar(key string) bool {
+func findOriginCert(originCertPath string, log *zerolog.Logger) (string, error) {
-	for _, flag := range secretFlags {
+	if originCertPath == "" {
-		for _, secretEnvVar := range flag.EnvVars {
+		log.Info().Msgf("Cannot determine default origin certificate path. No file %s in %v", config.DefaultCredentialFile, config.DefaultConfigSearchDirectories())
-			if secretEnvVar == key {
+		if isRunningFromTerminal() {
-				return true
+			log.Error().Msgf("You need to specify the origin certificate path with --origincert option, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", argumentsUrl)
-			}
+			return "", fmt.Errorf("client didn't specify origincert path when running from terminal")
 		} else {
 			log.Error().Msgf("You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", serviceUrl)
 			return "", fmt.Errorf("client didn't specify origincert path")
 		}
 	}
-	return false
+	var err error
 	originCertPath, err = homedir.Expand(originCertPath)
 	if err != nil {
 		log.Err(err).Msgf("Cannot resolve origin certificate path")
 		return "", fmt.Errorf("cannot resolve path %s", originCertPath)
 	}
 	// Check that the user has acquired a certificate using the login command
 	ok, err := config.FileExists(originCertPath)
 	if err != nil {
 		log.Error().Err(err).Msgf("Cannot check if origin cert exists at path %s", originCertPath)
 		return "", fmt.Errorf("cannot check if origin cert exists at path %s", originCertPath)
 	}
 	if !ok {
 		log.Error().Msgf(`Cannot find a valid certificate for your origin at the path:
    %s
 If the path above is wrong, specify the path with the -origincert option.
 If you don't have a certificate signed by Cloudflare, run the command:
 	%s login
 `, originCertPath, os.Args[0])
 		return "", fmt.Errorf("cannot find a valid certificate at the path %s", originCertPath)
 	}
 	return originCertPath, nil
 }
-func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.TunnelProperties) bool {
+func readOriginCert(originCertPath string) ([]byte, error) {
-	return c.IsSet("proxy-dns") &&
+	// Easier to send the certificate as []byte via RPC than decoding it at this point
-		!(c.IsSet("name") || // adhoc-named tunnel
+	originCert, err := ioutil.ReadFile(originCertPath)
-			c.IsSet(ingress.HelloWorldFlag) || // quick or named tunnel
+	if err != nil {
-			namedTunnel != nil) // named tunnel
+		return nil, fmt.Errorf("cannot read %s to load origin certificate", originCertPath)
 	}
 	return originCert, nil
 }
 func getOriginCert(originCertPath string, log *zerolog.Logger) ([]byte, error) {
 	if originCertPath, err := findOriginCert(originCertPath, log); err != nil {
 		return nil, err
 	} else {
 		return readOriginCert(originCertPath)
 	}
 }
 func prepareTunnelConfig(
 	ctx context.Context,
 	c *cli.Context,
-	info *cliutil.BuildInfo,
+	buildInfo *buildinfo.BuildInfo,
 	version string,
 	log, logTransport *zerolog.Logger,
 	observer *connection.Observer,
-	namedTunnel *connection.TunnelProperties,
+	namedTunnel *connection.NamedTunnelConfig,
-) (*supervisor.TunnelConfig, *orchestration.Config, error) {
+) (*origin.TunnelConfig, ingress.Ingress, error) {
-	clientID, err := uuid.NewRandom()
+	isNamedTunnel := namedTunnel != nil
 	configHostname := c.String("hostname")
 	hostname, err := validation.ValidateHostname(configHostname)
 	if err != nil {
-		return nil, nil, errors.Wrap(err, "can't generate connector UUID")
+		log.Err(err).Str(LogFieldHostname, configHostname).Msg("Invalid hostname")
 		return nil, ingress.Ingress{}, errors.Wrap(err, "Invalid hostname")
 	}
-	log.Info().Msgf("Generated Connector ID: %s", clientID)
+	clientID := c.String("id")
 	if !c.IsSet("id") {
 		clientID, err = generateRandomClientID(log)
 		if err != nil {
 			return nil, ingress.Ingress{}, err
 		}
 	}
 	tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
 	if err != nil {
 		log.Err(err).Msg("Tag parse failure")
-		return nil, nil, errors.Wrap(err, "Tag parse failure")
+		return nil, ingress.Ingress{}, errors.Wrap(err, "Tag parse failure")
 	}
 	tags = append(tags, pogs.Tag{Name: "ID", Value: clientID.String()})
 	transportProtocol := c.String("protocol")
 	clientFeatures := features.Dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
 	staticFeatures := features.StaticFeatures{}
 	if c.Bool("post-quantum") {
 		if FipsEnabled {
 			return nil, nil, fmt.Errorf("post-quantum not supported in FIPS mode")
 		}
 		pqMode := features.PostQuantumStrict
 		staticFeatures.PostQuantumMode = &pqMode
 	}
 	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, staticFeatures, log)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
 	}
 	pqMode := featureSelector.PostQuantumMode()
 	if pqMode == features.PostQuantumStrict {
 		// Error if the user tries to force a non-quic transport protocol
 		if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {
 			return nil, nil, fmt.Errorf("post-quantum is only supported with the quic transport")
 		}
 		transportProtocol = connection.QUIC.String()
 		clientFeatures = append(clientFeatures, features.FeaturePostQuantum)
 		log.Info().Msgf(
 			"Using hybrid post-quantum key agreement %s",
 			supervisor.PQKexName,
 		)
 	}
-	namedTunnel.Client = pogs.ClientInfo{
+	tags = append(tags, tunnelpogs.Tag{Name: "ID", Value: clientID})
-		ClientID: clientID[:],
+
-		Features: clientFeatures,
+	var (
-		Version:  info.Version(),
+		ingressRules  ingress.Ingress
-		Arch:     info.OSArch(),
+		classicTunnel *connection.ClassicTunnelConfig
-	}
+	)
 	cfg := config.GetConfiguration()
-	ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)
+	if isNamedTunnel {
-	if err != nil {
+		clientUUID, err := uuid.NewRandom()
-		return nil, nil, err
+		if err != nil {
 			return nil, ingress.Ingress{}, errors.Wrap(err, "can't generate connector UUID")
 		}
 		log.Info().Msgf("Generated Connector ID: %s", clientUUID)
 		features := append(c.StringSlice("features"), origin.FeatureSerializedHeaders)
 		namedTunnel.Client = tunnelpogs.ClientInfo{
 			ClientID: clientUUID[:],
 			Features: dedup(features),
 			Version:  version,
 			Arch:     buildInfo.OSArch(),
 		}
 		ingressRules, err = ingress.ParseIngress(cfg)
 		if err != nil && err != ingress.ErrNoIngressRules {
 			return nil, ingress.Ingress{}, err
 		}
 		if !ingressRules.IsEmpty() && c.IsSet("url") {
 			return nil, ingress.Ingress{}, ingress.ErrURLIncompatibleWithIngress
 		}
 	} else {
 		originCertPath := c.String("origincert")
 		originCertLog := log.With().
 			Str(LogFieldOriginCertPath, originCertPath).
 			Logger()
 		originCert, err := getOriginCert(originCertPath, &originCertLog)
 		if err != nil {
 			return nil, ingress.Ingress{}, errors.Wrap(err, "Error getting origin cert")
 		}
 		classicTunnel = &connection.ClassicTunnelConfig{
 			Hostname:   hostname,
 			OriginCert: originCert,
 			// turn off use of reconnect token and auth refresh when using named tunnels
 			UseReconnectToken: !isNamedTunnel && c.Bool("use-reconnect-token"),
 		}
 	}
-	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), c.Bool("post-quantum"), edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
+	// Convert single-origin configuration into multi-origin configuration.
 	if ingressRules.IsEmpty() {
 		ingressRules, err = ingress.NewSingleOrigin(c, !isNamedTunnel)
 		if err != nil {
 			return nil, ingress.Ingress{}, err
 		}
 	}
 	var warpRoutingService *ingress.WarpRoutingService
 	warpRoutingEnabled := isWarpRoutingEnabled(cfg.WarpRouting, isNamedTunnel)
 	if warpRoutingEnabled {
 		warpRoutingService = ingress.NewWarpRoutingService()
 		log.Info().Msgf("Warp-routing is enabled")
 	}
 	protocolSelector, err := connection.NewProtocolSelector(c.String("protocol"), warpRoutingEnabled, namedTunnel, edgediscovery.HTTP2Percentage, origin.ResolveTTL, log)
 	if err != nil {
-		return nil, nil, err
+		return nil, ingress.Ingress{}, err
 	}
 	log.Info().Msgf("Initial protocol %s", protocolSelector.Current())
@ -188,11 +247,11 @@ func prepareTunnelConfig(
 	for _, p := range connection.ProtocolList {
 		tlsSettings := p.TLSSettings()
 		if tlsSettings == nil {
-			return nil, nil, fmt.Errorf("%s has unknown TLS settings", p)
+			return nil, ingress.Ingress{}, fmt.Errorf("%s has unknown TLS settings", p)
 		}
 		edgeTLSConfig, err := tlsconfig.CreateTunnelConfig(c, tlsSettings.ServerName)
 		if err != nil {
-			return nil, nil, errors.Wrap(err, "unable to create TLS config to connect with edge")
+			return nil, ingress.Ingress{}, errors.Wrap(err, "unable to create TLS config to connect with edge")
 		}
 		if len(tlsSettings.NextProtos) > 0 {
 			edgeTLSConfig.NextProtos = tlsSettings.NextProtos
@ -200,297 +259,70 @@ func prepareTunnelConfig(
 		edgeTLSConfigs[p] = edgeTLSConfig
 	}
-	gracePeriod, err := gracePeriod(c)
+	originProxy := origin.NewOriginProxy(ingressRules, warpRoutingService, tags, log)
-	if err != nil {
+	connectionConfig := &connection.Config{
-		return nil, nil, err
+		OriginProxy:     originProxy,
-	}
+		GracePeriod:     c.Duration("grace-period"),
 	edgeIPVersion, err := parseConfigIPVersion(c.String("edge-ip-version"))
 	if err != nil {
 		return nil, nil, err
 	}
 	edgeBindAddr, err := parseConfigBindAddress(c.String("edge-bind-address"))
 	if err != nil {
 		return nil, nil, err
 	}
 	if err := testIPBindable(edgeBindAddr); err != nil {
 		return nil, nil, fmt.Errorf("invalid edge-bind-address %s: %v", edgeBindAddr, err)
 	}
 	edgeIPVersion, err = adjustIPVersionByBindAddress(edgeIPVersion, edgeBindAddr)
 	if err != nil {
 		// This is not a fatal error, we just overrode edgeIPVersion
 		log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
 	}
 	tunnelConfig := &supervisor.TunnelConfig{
 		GracePeriod:     gracePeriod,
 		ReplaceExisting: c.Bool("force"),
-		OSArch:          info.OSArch(),
+	}
-		ClientID:        clientID.String(),
+	muxerConfig := &connection.MuxerConfig{
-		EdgeAddrs:       c.StringSlice("edge"),
+		HeartbeatInterval: c.Duration("heartbeat-interval"),
 		Region:          c.String("region"),
 		EdgeIPVersion:   edgeIPVersion,
 		EdgeBindAddr:    edgeBindAddr,
 		HAConnections:   c.Int(haConnectionsFlag),
 		IsAutoupdated:   c.Bool("is-autoupdated"),
 		LBPool:          c.String("lb-pool"),
 		Tags:            tags,
 		Log:             log,
 		LogTransport:    logTransport,
 		Observer:        observer,
 		ReportedVersion: info.Version(),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
-		Retries:                             uint(c.Int("retries")),
+		MaxHeartbeats: uint64(c.Int("heartbeat-count")),
-		RunFromTerminal:                     isRunningFromTerminal(),
+		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
-		NamedTunnel:                         namedTunnel,
+		CompressionSetting: h2mux.CompressionSetting(uint64(c.Int("compression-quality"))),
-		ProtocolSelector:                    protocolSelector,
+		MetricsUpdateFreq:  c.Duration("metrics-update-freq"),
 		EdgeTLSConfigs:                      edgeTLSConfigs,
 		FeatureSelector:                     featureSelector,
 		MaxEdgeAddrRetries:                  uint8(c.Int("max-edge-addr-retries")),
 		RPCTimeout:                          c.Duration(rpcTimeout),
 		WriteStreamTimeout:                  c.Duration(writeStreamTimeout),
 		DisableQUICPathMTUDiscovery:         c.Bool(quicDisablePathMTUDiscovery),
 		QUICConnectionLevelFlowControlLimit: c.Uint64(quicConnLevelFlowControlLimit),
 		QUICStreamLevelFlowControlLimit:     c.Uint64(quicStreamLevelFlowControlLimit),
 	}
-	packetConfig, err := newPacketConfig(c, log)
+
-	if err != nil {
+	return &origin.TunnelConfig{
-		log.Warn().Err(err).Msg("ICMP proxy feature is disabled")
+		ConnectionConfig: connectionConfig,
-	} else {
+		OSArch:           buildInfo.OSArch(),
-		tunnelConfig.PacketConfig = packetConfig
+		ClientID:         clientID,
-	}
+		EdgeAddrs:        c.StringSlice("edge"),
-	orchestratorConfig := &orchestration.Config{
+		Region:           c.String("region"),
-		Ingress:            &ingressRules,
+		HAConnections:    c.Int("ha-connections"),
-		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
+		IncidentLookup:   origin.NewIncidentLookup(),
-		ConfigurationFlags: parseConfigFlags(c),
+		IsAutoupdated:    c.Bool("is-autoupdated"),
-		WriteTimeout:       c.Duration(writeStreamTimeout),
+		LBPool:           c.String("lb-pool"),
-	}
+		Tags:             tags,
-	return tunnelConfig, orchestratorConfig, nil
+		Log:              log,
 		LogTransport:     logTransport,
 		Observer:         observer,
 		ReportedVersion:  version,
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		Retries:          uint(c.Int("retries")),
 		RunFromTerminal:  isRunningFromTerminal(),
 		NamedTunnel:      namedTunnel,
 		ClassicTunnel:    classicTunnel,
 		MuxerConfig:      muxerConfig,
 		ProtocolSelector: protocolSelector,
 		EdgeTLSConfigs:   edgeTLSConfigs,
 	}, ingressRules, nil
 }
-func parseConfigFlags(c *cli.Context) map[string]string {
+func isWarpRoutingEnabled(warpConfig config.WarpRoutingConfig, isNamedTunnel bool) bool {
-	result := make(map[string]string)
+	return warpConfig.Enabled && isNamedTunnel
 	for _, flag := range configFlags {
 		if v := c.String(flag); c.IsSet(flag) && v != "" {
 			result[flag] = v
 		}
 	}
 	return result
 }
 func gracePeriod(c *cli.Context) (time.Duration, error) {
 	period := c.Duration("grace-period")
 	if period > connection.MaxGracePeriod {
 		return time.Duration(0), fmt.Errorf("grace-period must be equal or less than %v", connection.MaxGracePeriod)
 	}
 	return period, nil
 }
 func isRunningFromTerminal() bool {
-	return term.IsTerminal(int(os.Stdout.Fd()))
+	return terminal.IsTerminal(int(os.Stdout.Fd()))
 }
-// ParseConfigIPVersion returns the IP version from possible expected values from config
+// Remove any duplicates from the slice
-func parseConfigIPVersion(version string) (v allregions.ConfigIPVersion, err error) {
+func dedup(slice []string) []string {
-	switch version {
+
-	case "4":
+	// Convert the slice into a set
-		v = allregions.IPv4Only
+	set := make(map[string]bool, 0)
-	case "6":
+	for _, str := range slice {
-		v = allregions.IPv6Only
+		set[str] = true
 	case "auto":
 		v = allregions.Auto
 	default: // unspecified or invalid
 		err = fmt.Errorf("invalid value for edge-ip-version: %s", version)
 	}
-	return
+
-}
+	// Convert the set back into a slice
-
+	keys := make([]string, len(set))
-func parseConfigBindAddress(ipstr string) (net.IP, error) {
+	i := 0
-	// Unspecified - it's fine
+	for str := range set {
-	if ipstr == "" {
+		keys[i] = str
-		return nil, nil
+		i++
-	}
+	}
-	ip := net.ParseIP(ipstr)
+	return keys
 	if ip == nil {
 		return nil, fmt.Errorf("invalid value for edge-bind-address: %s", ipstr)
 	}
 	return ip, nil
 }
 func testIPBindable(ip net.IP) error {
 	// "Unspecified" = let OS choose, so always bindable
 	if ip == nil {
 		return nil
 	}
 	addr := &net.UDPAddr{IP: ip, Port: 0}
 	listener, err := net.ListenUDP("udp", addr)
 	if err != nil {
 		return err
 	}
 	listener.Close()
 	return nil
 }
 func adjustIPVersionByBindAddress(ipVersion allregions.ConfigIPVersion, ip net.IP) (allregions.ConfigIPVersion, error) {
 	if ip == nil {
 		return ipVersion, nil
 	}
 	// https://pkg.go.dev/net#IP.To4: "If ip is not an IPv4 address, To4 returns nil."
 	if ip.To4() != nil {
 		if ipVersion == allregions.IPv6Only {
 			return allregions.IPv4Only, fmt.Errorf("IPv4 bind address is specified, but edge-ip-version is IPv6")
 		}
 		return allregions.IPv4Only, nil
 	} else {
 		if ipVersion == allregions.IPv4Only {
 			return allregions.IPv6Only, fmt.Errorf("IPv6 bind address is specified, but edge-ip-version is IPv4")
 		}
 		return allregions.IPv6Only, nil
 	}
 }
 func newPacketConfig(c *cli.Context, logger *zerolog.Logger) (*ingress.GlobalRouterConfig, error) {
 	ipv4Src, err := determineICMPv4Src(c.String("icmpv4-src"), logger)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
 	}
 	logger.Info().Msgf("ICMP proxy will use %s as source for IPv4", ipv4Src)
 	ipv6Src, zone, err := determineICMPv6Src(c.String("icmpv6-src"), logger, ipv4Src)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
 	}
 	if zone != "" {
 		logger.Info().Msgf("ICMP proxy will use %s in zone %s as source for IPv6", ipv6Src, zone)
 	} else {
 		logger.Info().Msgf("ICMP proxy will use %s as source for IPv6", ipv6Src)
 	}
 	icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, zone, logger, icmpFunnelTimeout)
 	if err != nil {
 		return nil, err
 	}
 	return &ingress.GlobalRouterConfig{
 		ICMPRouter: icmpRouter,
 		IPv4Src:    ipv4Src,
 		IPv6Src:    ipv6Src,
 		Zone:       zone,
 	}, nil
 }
 func determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) {
 	if userDefinedSrc != "" {
 		addr, err := netip.ParseAddr(userDefinedSrc)
 		if err != nil {
 			return netip.Addr{}, err
 		}
 		if addr.Is4() {
 			return addr, nil
 		}
 		return netip.Addr{}, fmt.Errorf("expect IPv4, but %s is IPv6", userDefinedSrc)
 	}
 	addr, err := findLocalAddr(net.ParseIP("192.168.0.1"), 53)
 	if err != nil {
 		addr = netip.IPv4Unspecified()
 		logger.Debug().Err(err).Msgf("Failed to determine the IPv4 for this machine. It will use %s to send/listen for ICMPv4 echo", addr)
 	}
 	return addr, nil
 }
 type interfaceIP struct {
 	name string
 	ip   net.IP
 }
 func determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) {
 	if userDefinedSrc != "" {
 		userDefinedIP, zone, _ := strings.Cut(userDefinedSrc, "%")
 		addr, err := netip.ParseAddr(userDefinedIP)
 		if err != nil {
 			return netip.Addr{}, "", err
 		}
 		if addr.Is6() {
 			return addr, zone, nil
 		}
 		return netip.Addr{}, "", fmt.Errorf("expect IPv6, but %s is IPv4", userDefinedSrc)
 	}
 	// Loop through all the interfaces, the preference is
 	// 1. The interface where ipv4Src is in
 	// 2. Interface with IPv6 address
 	// 3. Unspecified interface
 	interfaces, err := net.Interfaces()
 	if err != nil {
 		return netip.IPv6Unspecified(), "", nil
 	}
 	interfacesWithIPv6 := make([]interfaceIP, 0)
 	for _, interf := range interfaces {
 		interfaceAddrs, err := interf.Addrs()
 		if err != nil {
 			continue
 		}
 		foundIPv4SrcInterface := false
 		for _, interfaceAddr := range interfaceAddrs {
 			if ipnet, ok := interfaceAddr.(*net.IPNet); ok {
 				ip := ipnet.IP
 				if ip.Equal(ipv4Src.AsSlice()) {
 					foundIPv4SrcInterface = true
 				}
 				if ip.To4() == nil {
 					interfacesWithIPv6 = append(interfacesWithIPv6, interfaceIP{
 						name: interf.Name,
 						ip:   ip,
 					})
 				}
 			}
 		}
 		// Found the interface of ipv4Src. Loop through the addresses to see if there is an IPv6
 		if foundIPv4SrcInterface {
 			for _, interfaceAddr := range interfaceAddrs {
 				if ipnet, ok := interfaceAddr.(*net.IPNet); ok {
 					ip := ipnet.IP
 					if ip.To4() == nil {
 						addr, err := netip.ParseAddr(ip.String())
 						if err == nil {
 							return addr, interf.Name, nil
 						}
 					}
 				}
 			}
 		}
 	}
 	for _, interf := range interfacesWithIPv6 {
 		addr, err := netip.ParseAddr(interf.ip.String())
 		if err == nil {
 			return addr, interf.name, nil
 		}
 	}
 	logger.Debug().Err(err).Msgf("Failed to determine the IPv6 for this machine. It will use %s to send/listen for ICMPv6 echo", netip.IPv6Unspecified())
 	return netip.IPv6Unspecified(), "", nil
 }
 // FindLocalAddr tries to dial UDP and returns the local address picked by the OS
 func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
 	udpConn, err := net.DialUDP("udp", nil, &net.UDPAddr{
 		IP:   dst,
 		Port: port,
 	})
 	if err != nil {
 		return netip.Addr{}, err
 	}
 	defer udpConn.Close()
 	localAddrPort, err := netip.ParseAddrPort(udpConn.LocalAddr().String())
 	if err != nil {
 		return netip.Addr{}, err
 	}
 	localAddr := localAddrPort.Addr()
 	return localAddr, nil
 }
--- a/cmd/cloudflared/tunnel/configuration_test.go
+++ b/cmd/cloudflared/tunnel/configuration_test.go
@ -1,5 +1,4 @@
-//go:build ignore
+// +build ignore
 // TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+
 package tunnel
@ -8,7 +7,6 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"net"
 	"os"
 	"testing"
@ -214,23 +212,3 @@ func getCertPoolSubjects(certPool *x509.CertPool) ([]*pkix.Name, error) {
 func isUnrecoverableError(err error) bool {
 	return err != nil && err.Error() != "crypto/x509: system root pool is not available on Windows"
 }
 func TestTestIPBindable(t *testing.T) {
 	assert.Nil(t, testIPBindable(nil))
 	// Public services - if one of these IPs is on the machine, the test environment is too weird
 	assert.NotNil(t, testIPBindable(net.ParseIP("8.8.8.8")))
 	assert.NotNil(t, testIPBindable(net.ParseIP("1.1.1.1")))
 	addrs, err := net.InterfaceAddrs()
 	if err != nil {
 		t.Fatal(err)
 	}
 	for i, addr := range addrs {
 		if i >= 3 {
 			break
 		}
 		ip := addr.(*net.IPNet).IP
 		assert.Nil(t, testIPBindable(ip))
 	}
 }
--- a/cmd/cloudflared/tunnel/credential_finder.go
+++ b/cmd/cloudflared/tunnel/credential_finder.go
@ -5,7 +5,6 @@ import (
 	"path/filepath"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
@ -57,13 +56,13 @@ func newSearchByID(id uuid.UUID, c *cli.Context, log *zerolog.Logger, fs fileSys
 }
 func (s searchByID) Path() (string, error) {
-	originCertPath := s.c.String(credentials.OriginCertFlag)
+	originCertPath := s.c.String("origincert")
 	originCertLog := s.log.With().
-		Str("originCertPath", originCertPath).
+		Str(LogFieldOriginCertPath, originCertPath).
 		Logger()
 	// Fallback to look for tunnel credentials in the origin cert directory
-	if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
+	if originCertPath, err := findOriginCert(originCertPath, &originCertLog); err == nil {
 		originCertDir := filepath.Dir(originCertPath)
 		if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
 			if s.fs.validFilePath(filePath) {
--- a/cmd/cloudflared/tunnel/filesystem.go
+++ b/cmd/cloudflared/tunnel/filesystem.go
@ -1,6 +1,7 @@
 package tunnel
 import (
 	"io/ioutil"
 	"os"
 )
@ -22,5 +23,5 @@ func (fs realFileSystem) validFilePath(path string) bool {
 }
 func (fs realFileSystem) readFile(filePath string) ([]byte, error) {
-	return os.ReadFile(filePath)
+	return ioutil.ReadFile(filePath)
 }
--- a/cmd/cloudflared/tunnel/fips.go
+++ b/cmd/cloudflared/tunnel/fips.go
@ -1,3 +0,0 @@
 package tunnel
 var FipsEnabled bool
--- a/cmd/cloudflared/tunnel/info.go
+++ b/cmd/cloudflared/tunnel/info.go
@ -5,12 +5,12 @@ import (
 	"github.com/google/uuid"
-	"github.com/cloudflare/cloudflared/cfapi"
+	"github.com/cloudflare/cloudflared/tunnelstore"
 )
 type Info struct {
-	ID         uuid.UUID             `json:"id"`
+	ID         uuid.UUID                   `json:"id"`
-	Name       string                `json:"name"`
+	Name       string                      `json:"name"`
-	CreatedAt  time.Time             `json:"createdAt"`
+	CreatedAt  time.Time                   `json:"createdAt"`
-	Connectors []*cfapi.ActiveClient `json:"conns"`
+	Connectors []*tunnelstore.ActiveClient `json:"conns"`
 }
--- a/cmd/cloudflared/tunnel/ingress_subcommands.go
+++ b/cmd/cloudflared/tunnel/ingress_subcommands.go
@ -1,7 +1,6 @@
 package tunnel
 import (
 	"encoding/json"
 	"fmt"
 	"net/url"
@ -13,15 +12,6 @@ import (
 	"github.com/urfave/cli/v2"
 )
 const ingressDataJSONFlagName = "json"
 var ingressDataJSON = &cli.StringFlag{
 	Name:    ingressDataJSONFlagName,
 	Aliases: []string{"j"},
 	Usage:   `Accepts data in the form of json as an input rather than read from a file`,
 	EnvVars: []string{"TUNNEL_INGRESS_VALIDATE_JSON"},
 }
 func buildIngressSubcommand() *cli.Command {
 	return &cli.Command{
 		Name:      "ingress",
@ -59,7 +49,6 @@ func buildValidateIngressCommand() *cli.Command {
 		Usage:       "Validate the ingress configuration ",
 		UsageText:   "cloudflared tunnel [--config FILEPATH] ingress validate",
 		Description: "Validates the configuration file, ensuring your ingress rules are OK.",
 		Flags:       []cli.Flag{ingressDataJSON},
 	}
 }
@ -80,11 +69,12 @@ func buildTestURLCommand() *cli.Command {
 // validateIngressCommand check the syntax of the ingress rules in the cloudflared config file
 func validateIngressCommand(c *cli.Context, warnings string) error {
-	conf, err := getConfiguration(c)
+	conf := config.GetConfiguration()
-	if err != nil {
+	if conf.Source() == "" {
-		return err
+		fmt.Println("No configuration file was found. Please create one, or use the --config flag to specify its filepath. You can use the help command to learn more about configuration files")
 		return nil
 	}
-
+	fmt.Println("Validating rules from", conf.Source())
 	if _, err := ingress.ParseIngress(conf); err != nil {
 		return errors.Wrap(err, "Validation failed")
 	}
@ -100,22 +90,6 @@ func validateIngressCommand(c *cli.Context, warnings string) error {
 	return nil
 }
 func getConfiguration(c *cli.Context) (*config.Configuration, error) {
 	var conf *config.Configuration
 	if c.IsSet(ingressDataJSONFlagName) {
 		ingressJSON := c.String(ingressDataJSONFlagName)
 		fmt.Println("Validating rules from cmdline flag --json")
 		err := json.Unmarshal([]byte(ingressJSON), &conf)
 		return conf, err
 	}
 	conf = config.GetConfiguration()
 	if conf.Source() == "" {
 		return nil, errors.New("No configuration file was found. Please create one, or use the --config flag to specify its filepath. You can use the help command to learn more about configuration files")
 	}
 	fmt.Println("Validating rules from", conf.Source())
 	return conf, nil
 }
 // testURLCommand checks which ingress rule matches the given URL.
 func testURLCommand(c *cli.Context) error {
 	requestArg := c.Args().First()
@ -139,7 +113,7 @@ func testURLCommand(c *cli.Context) error {
 	}
 	_, i := ing.FindMatchingRule(requestURL.Hostname(), requestURL.Path)
-	fmt.Printf("Matched rule #%d\n", i)
+	fmt.Printf("Matched rule #%d\n", i+1)
 	fmt.Println(ing.Rules[i].MultiLineString())
 	return nil
 }
--- a/cmd/cloudflared/tunnel/login.go
+++ b/cmd/cloudflared/tunnel/login.go
@ -2,6 +2,7 @@ package tunnel
 import (
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"path/filepath"
@ -13,7 +14,6 @@ import (
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/token"
 )
@ -52,7 +52,6 @@ func login(c *cli.Context) error {
 	resourceData, err := token.RunTransfer(
 		loginURL,
 		"",
 		"cert",
 		"callback",
 		callbackStoreURL,
@ -65,7 +64,7 @@ func login(c *cli.Context) error {
 		return err
 	}
-	if err := os.WriteFile(path, resourceData, 0600); err != nil {
+	if err := ioutil.WriteFile(path, resourceData, 0600); err != nil {
 		return errors.Wrap(err, fmt.Sprintf("error writing cert to %s", path))
 	}
@ -86,7 +85,7 @@ func checkForExistingCert() (string, bool, error) {
 	if err != nil {
 		return "", false, err
 	}
-	path := filepath.Join(configPath, credentials.DefaultCredentialFile)
+	path := filepath.Join(configPath, config.DefaultCredentialFile)
 	fileInfo, err := os.Stat(path)
 	if err == nil && fileInfo.Size() > 0 {
 		return path, true, nil
--- a/cmd/cloudflared/tunnel/quick_tunnel.go
+++ b/cmd/cloudflared/tunnel/quick_tunnel.go
@ -35,13 +35,7 @@ func RunQuickTunnel(sc *subcommandContext) error {
 		Timeout: httpTimeout,
 	}
-	req, err := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/tunnel", sc.c.String("quick-service")), nil)
+	resp, err := client.Post(fmt.Sprintf("%s/tunnel", sc.c.String("quick-service")), "application/json", nil)
 	if err != nil {
 		return errors.Wrap(err, "failed to build quick tunnel request")
 	}
 	req.Header.Add("Content-Type", "application/json")
 	req.Header.Add("User-Agent", buildInfo.UserAgent())
 	resp, err := client.Do(req)
 	if err != nil {
 		return errors.Wrap(err, "failed to request quick Tunnel")
 	}
@ -61,6 +55,7 @@ func RunQuickTunnel(sc *subcommandContext) error {
 		AccountTag:   data.Result.AccountTag,
 		TunnelSecret: data.Result.Secret,
 		TunnelID:     tunnelID,
 		TunnelName:   data.Result.Name,
 	}
 	url := data.Result.Hostname
@ -75,18 +70,12 @@ func RunQuickTunnel(sc *subcommandContext) error {
 		sc.log.Info().Msg(line)
 	}
 	if !sc.c.IsSet("protocol") {
 		sc.c.Set("protocol", "quic")
 	}
 	// Override the number of connections used. Quick tunnels shouldn't be used for production usage,
 	// so, use a single connection instead.
 	sc.c.Set(haConnectionsFlag, "1")
 	return StartServer(
 		sc.c,
-		buildInfo,
+		version,
-		&connection.TunnelProperties{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},
+		&connection.NamedTunnelConfig{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},
 		sc.log,
 		sc.isUIEnabled,
 	)
 }
--- a/cmd/cloudflared/tunnel/signal_test.go
+++ b/cmd/cloudflared/tunnel/signal_test.go
@ -1,4 +1,4 @@
-//go:build !windows
+// +build !windows
 package tunnel
--- a/cmd/cloudflared/tunnel/subcommand_context.go
+++ b/cmd/cloudflared/tunnel/subcommand_context.go
@ -1,7 +1,6 @@
 package tunnel
 import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
@ -13,10 +12,10 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
-	"github.com/cloudflare/cloudflared/cfapi"
+	"github.com/cloudflare/cloudflared/certutil"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/tunnelstore"
 )
 type errInvalidJSONCredential struct {
@ -31,20 +30,27 @@ func (e errInvalidJSONCredential) Error() string {
 // subcommandContext carries structs shared between subcommands, to reduce number of arguments needed to
 // pass between subcommands, and make sure they are only initialized once
 type subcommandContext struct {
-	c   *cli.Context
+	c           *cli.Context
-	log *zerolog.Logger
+	log         *zerolog.Logger
-	fs  fileSystem
+	isUIEnabled bool
 	fs          fileSystem
 	// These fields should be accessed using their respective Getter
-	tunnelstoreClient cfapi.Client
+	tunnelstoreClient tunnelstore.Client
-	userCredential    *credentials.User
+	userCredential    *userCredential
 }
 func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
 	isUIEnabled := c.IsSet(uiFlag) && c.String("name") != ""
 	// If UI is enabled, terminal log output should be disabled -- log should be written into a UI log window instead
 	log := logger.CreateLoggerFromContext(c, isUIEnabled)
 	return &subcommandContext{
-		c:   c,
+		c:           c,
-		log: logger.CreateLoggerFromContext(c, logger.EnableTerminalLog),
+		log:         log,
-		fs:  realFileSystem{},
+		isUIEnabled: isUIEnabled,
 		fs:          realFileSystem{},
 	}, nil
 }
@ -56,28 +62,65 @@ func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {
 	return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
 }
-func (sc *subcommandContext) client() (cfapi.Client, error) {
+type userCredential struct {
 	cert     *certutil.OriginCert
 	certPath string
 }
 func (sc *subcommandContext) client() (tunnelstore.Client, error) {
 	if sc.tunnelstoreClient != nil {
 		return sc.tunnelstoreClient, nil
 	}
-	cred, err := sc.credential()
+	credential, err := sc.credential()
 	if err != nil {
 		return nil, err
 	}
-	sc.tunnelstoreClient, err = cred.Client(sc.c.String("api-url"), buildInfo.UserAgent(), sc.log)
+	userAgent := fmt.Sprintf("cloudflared/%s", version)
 	client, err := tunnelstore.NewRESTClient(
 		sc.c.String("api-url"),
 		credential.cert.AccountID,
 		credential.cert.ZoneID,
 		credential.cert.ServiceKey,
 		userAgent,
 		sc.log,
 	)
 	if err != nil {
 		return nil, err
 	}
-	return sc.tunnelstoreClient, nil
+	sc.tunnelstoreClient = client
 	return client, nil
 }
-func (sc *subcommandContext) credential() (*credentials.User, error) {
+func (sc *subcommandContext) credential() (*userCredential, error) {
 	if sc.userCredential == nil {
-		uc, err := credentials.Read(sc.c.String(credentials.OriginCertFlag), sc.log)
+		originCertPath := sc.c.String("origincert")
 		originCertLog := sc.log.With().
 			Str(LogFieldOriginCertPath, originCertPath).
 			Logger()
 		originCertPath, err := findOriginCert(originCertPath, &originCertLog)
 		if err != nil {
-			return nil, err
+			return nil, errors.Wrap(err, "Error locating origin cert")
 		}
 		blocks, err := readOriginCert(originCertPath)
 		if err != nil {
 			return nil, errors.Wrapf(err, "Can't read origin cert from %s", originCertPath)
 		}
 		cert, err := certutil.DecodeOriginCert(blocks)
 		if err != nil {
 			return nil, errors.Wrap(err, "Error decoding origin cert")
 		}
 		if cert.AccountID == "" {
 			return nil, errors.Errorf(`Origin certificate needs to be refreshed before creating new tunnels.\nDelete %s and run "cloudflared login" to obtain a new cert.`, originCertPath)
 		}
 		sc.userCredential = &userCredential{
 			cert:     cert,
 			certPath: originCertPath,
 		}
 		sc.userCredential = uc
 	}
 	return sc.userCredential, nil
 }
@ -105,27 +148,15 @@ func (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (conne
 	return credentials, nil
 }
-func (sc *subcommandContext) create(name string, credentialsFilePath string, secret string) (*cfapi.Tunnel, error) {
+func (sc *subcommandContext) create(name string, credentialsFilePath string) (*tunnelstore.Tunnel, error) {
 	client, err := sc.client()
 	if err != nil {
-		return nil, errors.Wrap(err, "couldn't create client to talk to Cloudflare Tunnel backend")
+		return nil, errors.Wrap(err, "couldn't create client to talk to Argo Tunnel backend")
 	}
-	var tunnelSecret []byte
+	tunnelSecret, err := generateTunnelSecret()
-	if secret == "" {
+	if err != nil {
-		tunnelSecret, err = generateTunnelSecret()
+		return nil, errors.Wrap(err, "couldn't generate the secret for your new tunnel")
 		if err != nil {
 			return nil, errors.Wrap(err, "couldn't generate the secret for your new tunnel")
 		}
 	} else {
 		decodedSecret, err := base64.StdEncoding.DecodeString(secret)
 		if err != nil {
 			return nil, errors.Wrap(err, "Couldn't decode tunnel secret from base64")
 		}
 		tunnelSecret = []byte(decodedSecret)
 		if len(tunnelSecret) < 32 {
 			return nil, errors.New("Decoded tunnel secret must be at least 32 bytes long")
 		}
 	}
 	tunnel, err := client.CreateTunnel(name, tunnelSecret)
@ -138,13 +169,14 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 		return nil, err
 	}
 	tunnelCredentials := connection.Credentials{
-		AccountTag:   credential.AccountID(),
+		AccountTag:   credential.cert.AccountID,
 		TunnelSecret: tunnelSecret,
 		TunnelID:     tunnel.ID,
 		TunnelName:   name,
 	}
 	usedCertPath := false
 	if credentialsFilePath == "" {
-		originCertDir := filepath.Dir(credential.CertPath())
+		originCertDir := filepath.Dir(credential.certPath)
 		credentialsFilePath, err = tunnelFilePath(tunnelCredentials.TunnelID, originCertDir)
 		if err != nil {
 			return nil, err
@ -156,7 +188,7 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 		var errorLines []string
 		errorLines = append(errorLines, fmt.Sprintf("Your tunnel '%v' was created with ID %v. However, cloudflared couldn't write tunnel credentials to %s.", tunnel.Name, tunnel.ID, credentialsFilePath))
 		errorLines = append(errorLines, fmt.Sprintf("The file-writing error is: %v", writeFileErr))
-		if deleteErr := client.DeleteTunnel(tunnel.ID, true); deleteErr != nil {
+		if deleteErr := client.DeleteTunnel(tunnel.ID); deleteErr != nil {
 			errorLines = append(errorLines, fmt.Sprintf("Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.", tunnel.ID))
 			errorLines = append(errorLines, fmt.Sprintf("The delete tunnel error is: %v", deleteErr))
 		} else {
@ -176,11 +208,10 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 	}
 	fmt.Println(" Keep this file secret. To revoke these credentials, delete the tunnel.")
 	fmt.Printf("\nCreated tunnel %s with id %s\n", tunnel.Name, tunnel.ID)
-
+	return tunnel, nil
 	return &tunnel.Tunnel, nil
 }
-func (sc *subcommandContext) list(filter *cfapi.TunnelFilter) ([]*cfapi.Tunnel, error) {
+func (sc *subcommandContext) list(filter *tunnelstore.Filter) ([]*tunnelstore.Tunnel, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, err
@ -199,15 +230,20 @@ func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
 	for _, id := range tunnelIDs {
 		tunnel, err := client.GetTunnel(id)
 		if err != nil {
-			return errors.Wrapf(err, "Can't get tunnel information. Please check tunnel id: %s", id)
+			return errors.Wrapf(err, "Can't get tunnel information. Please check tunnel id: %s", tunnel.ID)
 		}
 		// Check if tunnel DeletedAt field has already been set
 		if !tunnel.DeletedAt.IsZero() {
 			return fmt.Errorf("Tunnel %s has already been deleted", tunnel.ID)
 		}
 		if forceFlagSet {
 			if err := client.CleanupConnections(tunnel.ID, tunnelstore.NewCleanupParams()); err != nil {
 				return errors.Wrapf(err, "Error cleaning up connections for tunnel %s", tunnel.ID)
 			}
 		}
-		if err := client.DeleteTunnel(tunnel.ID, forceFlagSet); err != nil {
+		if err := client.DeleteTunnel(tunnel.ID); err != nil {
 			return errors.Wrapf(err, "Error deleting tunnel %s", tunnel.ID)
 		}
@ -252,22 +288,17 @@ func (sc *subcommandContext) run(tunnelID uuid.UUID) error {
 		return err
 	}
 	return sc.runWithCredentials(credentials)
 }
 func (sc *subcommandContext) runWithCredentials(credentials connection.Credentials) error {
 	sc.log.Info().Str(LogFieldTunnelID, credentials.TunnelID.String()).Msg("Starting tunnel")
 	return StartServer(
 		sc.c,
-		buildInfo,
+		version,
-		&connection.TunnelProperties{Credentials: credentials},
+		&connection.NamedTunnelConfig{Credentials: credentials},
 		sc.log,
 		sc.isUIEnabled,
 	)
 }
 func (sc *subcommandContext) cleanupConnections(tunnelIDs []uuid.UUID) error {
-	params := cfapi.NewCleanupParams()
+	params := tunnelstore.NewCleanupParams()
 	extraLog := ""
 	if connector := sc.c.String("connector-id"); connector != "" {
 		connectorID, err := uuid.Parse(connector)
@ -291,22 +322,7 @@ func (sc *subcommandContext) cleanupConnections(tunnelIDs []uuid.UUID) error {
 	return nil
 }
-func (sc *subcommandContext) getTunnelTokenCredentials(tunnelID uuid.UUID) (*connection.TunnelToken, error) {
+func (sc *subcommandContext) route(tunnelID uuid.UUID, r tunnelstore.Route) (tunnelstore.RouteResult, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, err
 	}
 	token, err := client.GetTunnelToken(tunnelID)
 	if err != nil {
 		sc.log.Err(err).Msgf("Could not get the Token for the given Tunnel %v", tunnelID)
 		return nil, err
 	}
 	return ParseToken(token)
 }
 func (sc *subcommandContext) route(tunnelID uuid.UUID, r cfapi.HostnameRoute) (cfapi.HostnameRouteResult, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, err
@ -316,8 +332,8 @@ func (sc *subcommandContext) route(tunnelID uuid.UUID, r cfapi.HostnameRoute) (c
 }
 // Query Tunnelstore to find the active tunnel with the given name.
-func (sc *subcommandContext) tunnelActive(name string) (*cfapi.Tunnel, bool, error) {
+func (sc *subcommandContext) tunnelActive(name string) (*tunnelstore.Tunnel, bool, error) {
-	filter := cfapi.NewTunnelFilter()
+	filter := tunnelstore.NewFilter()
 	filter.NoDeleted()
 	filter.ByName(name)
 	tunnels, err := sc.list(filter)
@ -341,7 +357,7 @@ func (sc *subcommandContext) findID(input string) (uuid.UUID, error) {
 	// Look up name in the credentials file.
 	credFinder := newStaticPath(sc.c.String(CredFileFlag), sc.fs)
 	if credentials, err := sc.readTunnelCredentials(credFinder); err == nil {
-		if credentials.TunnelID != uuid.Nil {
+		if credentials.TunnelID != uuid.Nil && input == credentials.TunnelName {
 			return credentials.TunnelID, nil
 		}
 	}
@ -357,42 +373,52 @@ func (sc *subcommandContext) findID(input string) (uuid.UUID, error) {
 }
 // findIDs is just like mapping `findID` over a slice, but it only uses
-// one Tunnelstore API call per non-UUID input provided.
+// one Tunnelstore API call.
 func (sc *subcommandContext) findIDs(inputs []string) ([]uuid.UUID, error) {
 	uuids, names := splitUuids(inputs)
-	for _, name := range names {
+	// Shortcut without Tunnelstore call if we find that all inputs are already UUIDs.
-		filter := cfapi.NewTunnelFilter()
+	uuids, err := convertNamesToUuids(inputs, make(map[string]uuid.UUID))
-		filter.NoDeleted()
+	if err == nil {
-		filter.ByName(name)
+		return uuids, nil
 		tunnels, err := sc.list(filter)
 		if err != nil {
 			return nil, err
 		}
 		if len(tunnels) != 1 {
 			return nil, fmt.Errorf("there should only be 1 non-deleted Tunnel named %s", name)
 		}
 		uuids = append(uuids, tunnels[0].ID)
 	}
-	return uuids, nil
+	// First, look up all tunnels the user has
 	filter := tunnelstore.NewFilter()
 	filter.NoDeleted()
 	tunnels, err := sc.list(filter)
 	if err != nil {
 		return nil, err
 	}
 	// Do the pure list-processing in its own function, so that it can be
 	// unit tested easily.
 	return findIDs(tunnels, inputs)
 }
-func splitUuids(inputs []string) ([]uuid.UUID, []string) {
+func findIDs(tunnels []*tunnelstore.Tunnel, inputs []string) ([]uuid.UUID, error) {
-	uuids := make([]uuid.UUID, 0)
+	// Put them into a dictionary for faster lookups
-	names := make([]string, 0)
+	nameToID := make(map[string]uuid.UUID, len(tunnels))
 	for _, tunnel := range tunnels {
 		nameToID[tunnel.Name] = tunnel.ID
 	}
-	for _, input := range inputs {
+	return convertNamesToUuids(inputs, nameToID)
-		id, err := uuid.Parse(input)
+}
-		if err != nil {
+
-			names = append(names, input)
+func convertNamesToUuids(inputs []string, nameToID map[string]uuid.UUID) ([]uuid.UUID, error) {
 	tunnelIDs := make([]uuid.UUID, len(inputs))
 	var badInputs []string
 	for i, input := range inputs {
 		if id, err := uuid.Parse(input); err == nil {
 			tunnelIDs[i] = id
 		} else if id, ok := nameToID[input]; ok {
 			tunnelIDs[i] = id
 		} else {
-			uuids = append(uuids, id)
+			badInputs = append(badInputs, input)
 		}
 	}
-
+	if len(badInputs) > 0 {
-	return uuids, names
+		msg := "Please specify either the ID or name of a tunnel. The following inputs were neither: %s"
 		return nil, fmt.Errorf(msg, strings.Join(badInputs, ", "))
 	}
 	return tunnelIDs, nil
 }
--- a/cmd/cloudflared/tunnel/subcommand_context_teamnet.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_teamnet.go
@ -3,15 +3,14 @@ package tunnel
 import (
 	"net"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
-	"github.com/cloudflare/cloudflared/cfapi"
+	"github.com/cloudflare/cloudflared/teamnet"
 )
 const noClientMsg = "error while creating backend client"
-func (sc *subcommandContext) listRoutes(filter *cfapi.IpRouteFilter) ([]*cfapi.DetailedRoute, error) {
+func (sc *subcommandContext) listRoutes(filter *teamnet.Filter) ([]*teamnet.DetailedRoute, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, errors.Wrap(err, noClientMsg)
@ -19,48 +18,26 @@ func (sc *subcommandContext) listRoutes(filter *cfapi.IpRouteFilter) ([]*cfapi.D
 	return client.ListRoutes(filter)
 }
-func (sc *subcommandContext) addRoute(newRoute cfapi.NewRoute) (cfapi.Route, error) {
+func (sc *subcommandContext) addRoute(newRoute teamnet.NewRoute) (teamnet.Route, error) {
 	client, err := sc.client()
 	if err != nil {
-		return cfapi.Route{}, errors.Wrap(err, noClientMsg)
+		return teamnet.Route{}, errors.Wrap(err, noClientMsg)
 	}
 	return client.AddRoute(newRoute)
 }
-func (sc *subcommandContext) deleteRoute(id uuid.UUID) error {
+func (sc *subcommandContext) deleteRoute(network net.IPNet) error {
 	client, err := sc.client()
 	if err != nil {
 		return errors.Wrap(err, noClientMsg)
 	}
-	return client.DeleteRoute(id)
+	return client.DeleteRoute(network)
 }
-func (sc *subcommandContext) getRouteByIP(params cfapi.GetRouteByIpParams) (cfapi.DetailedRoute, error) {
+func (sc *subcommandContext) getRouteByIP(ip net.IP) (teamnet.DetailedRoute, error) {
 	client, err := sc.client()
 	if err != nil {
-		return cfapi.DetailedRoute{}, errors.Wrap(err, noClientMsg)
+		return teamnet.DetailedRoute{}, errors.Wrap(err, noClientMsg)
 	}
-	return client.GetByIP(params)
+	return client.GetByIP(ip)
 }
 func (sc *subcommandContext) getRouteId(network net.IPNet, vnetId *uuid.UUID) (uuid.UUID, error) {
 	filters := cfapi.NewIPRouteFilter()
 	filters.NotDeleted()
 	filters.NetworkIsSubsetOf(network)
 	filters.NetworkIsSupersetOf(network)
 	if vnetId != nil {
 		filters.VNetID(*vnetId)
 	}
 	result, err := sc.listRoutes(filters)
 	if err != nil {
 		return uuid.Nil, err
 	}
 	if len(result) != 1 {
 		return uuid.Nil, errors.New("unable to find route for provided network and vnet")
 	}
 	return result[0].ID, nil
 }
--- a/cmd/cloudflared/tunnel/subcommand_context_test.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_test.go
@ -11,14 +11,85 @@ import (
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/connection"
-	"github.com/cloudflare/cloudflared/credentials"
+	"github.com/cloudflare/cloudflared/tunnelstore"
 )
 func Test_findIDs(t *testing.T) {
 	type args struct {
 		tunnels []*tunnelstore.Tunnel
 		inputs  []string
 	}
 	tests := []struct {
 		name    string
 		args    args
 		want    []uuid.UUID
 		wantErr bool
 	}{
 		{
 			name: "input not found",
 			args: args{
 				inputs: []string{"asdf"},
 			},
 			wantErr: true,
 		},
 		{
 			name: "only UUID",
 			args: args{
 				inputs: []string{"a8398a0b-876d-48ed-b609-3fcfd67a4950"},
 			},
 			want: []uuid.UUID{uuid.MustParse("a8398a0b-876d-48ed-b609-3fcfd67a4950")},
 		},
 		{
 			name: "only name",
 			args: args{
 				tunnels: []*tunnelstore.Tunnel{
 					{
 						ID:   uuid.MustParse("a8398a0b-876d-48ed-b609-3fcfd67a4950"),
 						Name: "tunnel1",
 					},
 				},
 				inputs: []string{"tunnel1"},
 			},
 			want: []uuid.UUID{uuid.MustParse("a8398a0b-876d-48ed-b609-3fcfd67a4950")},
 		},
 		{
 			name: "both UUID and name",
 			args: args{
 				tunnels: []*tunnelstore.Tunnel{
 					{
 						ID:   uuid.MustParse("a8398a0b-876d-48ed-b609-3fcfd67a4950"),
 						Name: "tunnel1",
 					},
 					{
 						ID:   uuid.MustParse("bf028b68-744f-466e-97f8-c46161d80aa5"),
 						Name: "tunnel2",
 					},
 				},
 				inputs: []string{"tunnel1", "bf028b68-744f-466e-97f8-c46161d80aa5"},
 			},
 			want: []uuid.UUID{
 				uuid.MustParse("a8398a0b-876d-48ed-b609-3fcfd67a4950"),
 				uuid.MustParse("bf028b68-744f-466e-97f8-c46161d80aa5"),
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := findIDs(tt.args.tunnels, tt.args.inputs)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("findIDs() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("findIDs() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 type mockFileSystem struct {
 	rf  func(string) ([]byte, error)
 	vfp func(string) bool
@ -36,9 +107,10 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
 	type fields struct {
 		c                 *cli.Context
 		log               *zerolog.Logger
 		isUIEnabled       bool
 		fs                fileSystem
-		tunnelstoreClient cfapi.Client
+		tunnelstoreClient tunnelstore.Client
-		userCredential    *credentials.User
+		userCredential    *userCredential
 	}
 	type args struct {
 		tunnelID uuid.UUID
@ -116,6 +188,7 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
 				AccountTag:   accountTag,
 				TunnelID:     tunnelID,
 				TunnelSecret: secret,
 				TunnelName:   name,
 			},
 		},
 		{
@ -160,6 +233,7 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
 				AccountTag:   accountTag,
 				TunnelID:     tunnelID,
 				TunnelSecret: secret,
 				TunnelName:   name,
 			},
 		},
 	}
@ -168,6 +242,7 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
 			sc := &subcommandContext{
 				c:                 tt.fields.c,
 				log:               tt.fields.log,
 				isUIEnabled:       tt.fields.isUIEnabled,
 				fs:                tt.fields.fs,
 				tunnelstoreClient: tt.fields.tunnelstoreClient,
 				userCredential:    tt.fields.userCredential,
@ -185,13 +260,13 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
 }
 type deleteMockTunnelStore struct {
-	cfapi.Client
+	tunnelstore.Client
 	mockTunnels      map[uuid.UUID]mockTunnelBehaviour
 	deletedTunnelIDs []uuid.UUID
 }
 type mockTunnelBehaviour struct {
-	tunnel     cfapi.Tunnel
+	tunnel     tunnelstore.Tunnel
 	deleteErr  error
 	cleanupErr error
 }
@ -207,7 +282,7 @@ func newDeleteMockTunnelStore(tunnels ...mockTunnelBehaviour) *deleteMockTunnelS
 	}
 }
-func (d *deleteMockTunnelStore) GetTunnel(tunnelID uuid.UUID) (*cfapi.Tunnel, error) {
+func (d *deleteMockTunnelStore) GetTunnel(tunnelID uuid.UUID) (*tunnelstore.Tunnel, error) {
 	tunnel, ok := d.mockTunnels[tunnelID]
 	if !ok {
 		return nil, fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
@ -215,11 +290,7 @@ func (d *deleteMockTunnelStore) GetTunnel(tunnelID uuid.UUID) (*cfapi.Tunnel, er
 	return &tunnel.tunnel, nil
 }
-func (d *deleteMockTunnelStore) GetTunnelToken(tunnelID uuid.UUID) (string, error) {
+func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID) error {
 	return "token", nil
 }
 func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
 	tunnel, ok := d.mockTunnels[tunnelID]
 	if !ok {
 		return fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
@ -235,7 +306,7 @@ func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID, cascade bool) e
 	return nil
 }
-func (d *deleteMockTunnelStore) CleanupConnections(tunnelID uuid.UUID, _ *cfapi.CleanupParams) error {
+func (d *deleteMockTunnelStore) CleanupConnections(tunnelID uuid.UUID, _ *tunnelstore.CleanupParams) error {
 	tunnel, ok := d.mockTunnels[tunnelID]
 	if !ok {
 		return fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
@ -250,7 +321,7 @@ func Test_subcommandContext_Delete(t *testing.T) {
 		isUIEnabled       bool
 		fs                fileSystem
 		tunnelstoreClient *deleteMockTunnelStore
-		userCredential    *credentials.User
+		userCredential    *userCredential
 	}
 	type args struct {
 		tunnelIDs []uuid.UUID
@ -286,10 +357,10 @@ func Test_subcommandContext_Delete(t *testing.T) {
 				}(),
 				tunnelstoreClient: newDeleteMockTunnelStore(
 					mockTunnelBehaviour{
-						tunnel: cfapi.Tunnel{ID: tunnelID1},
+						tunnel: tunnelstore.Tunnel{ID: tunnelID1},
 					},
 					mockTunnelBehaviour{
-						tunnel: cfapi.Tunnel{ID: tunnelID2},
+						tunnel: tunnelstore.Tunnel{ID: tunnelID2},
 					},
 				),
 			},
@ -306,6 +377,7 @@ func Test_subcommandContext_Delete(t *testing.T) {
 			sc := &subcommandContext{
 				c:                 tt.fields.c,
 				log:               tt.fields.log,
 				isUIEnabled:       tt.fields.isUIEnabled,
 				fs:                tt.fields.fs,
 				tunnelstoreClient: tt.fields.tunnelstoreClient,
 				userCredential:    tt.fields.userCredential,
@ -323,48 +395,3 @@ func Test_subcommandContext_Delete(t *testing.T) {
 		})
 	}
 }
 func Test_subcommandContext_ValidateIngressCommand(t *testing.T) {
 	var tests = []struct {
 		name        string
 		c           *cli.Context
 		wantErr     bool
 		expectedErr error
 	}{
 		{
 			name: "read a valid configuration from data",
 			c: func() *cli.Context {
 				data := `{ "warp-routing": {"enabled": true},  "originRequest" : {"connectTimeout": 10}, "ingress" : [ {"hostname": "test", "service": "https://localhost:8000" } , {"service": "http_status:404"} ]}`
 				flagSet := flag.NewFlagSet("json", flag.PanicOnError)
 				flagSet.String(ingressDataJSONFlagName, data, "")
 				c := cli.NewContext(cli.NewApp(), flagSet, nil)
 				_ = c.Set(ingressDataJSONFlagName, data)
 				return c
 			}(),
 		},
 		{
 			name: "read an invalid configuration with multiple mistakes",
 			c: func() *cli.Context {
 				data := `{ "ingress" : [ {"hostname": "test", "service": "localhost:8000" } , {"service": "http_status:invalid_status"} ]}`
 				flagSet := flag.NewFlagSet("json", flag.PanicOnError)
 				flagSet.String(ingressDataJSONFlagName, data, "")
 				c := cli.NewContext(cli.NewApp(), flagSet, nil)
 				_ = c.Set(ingressDataJSONFlagName, data)
 				return c
 			}(),
 			wantErr:     true,
 			expectedErr: errors.New("Validation failed: localhost:8000 is an invalid address, please make sure it has a scheme and a hostname"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := validateIngressCommand(tt.c, "")
 			if tt.wantErr {
 				assert.Equal(t, tt.expectedErr.Error(), err.Error())
 			} else {
 				assert.Nil(t, err)
 			}
 		})
 	}
 }
--- a/cmd/cloudflared/tunnel/subcommand_context_vnets.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_vnets.go
@ -1,40 +0,0 @@
 package tunnel
 import (
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/cfapi"
 )
 func (sc *subcommandContext) addVirtualNetwork(newVnet cfapi.NewVirtualNetwork) (cfapi.VirtualNetwork, error) {
 	client, err := sc.client()
 	if err != nil {
 		return cfapi.VirtualNetwork{}, errors.Wrap(err, noClientMsg)
 	}
 	return client.CreateVirtualNetwork(newVnet)
 }
 func (sc *subcommandContext) listVirtualNetworks(filter *cfapi.VnetFilter) ([]*cfapi.VirtualNetwork, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, errors.Wrap(err, noClientMsg)
 	}
 	return client.ListVirtualNetworks(filter)
 }
 func (sc *subcommandContext) deleteVirtualNetwork(vnetId uuid.UUID, force bool) error {
 	client, err := sc.client()
 	if err != nil {
 		return errors.Wrap(err, noClientMsg)
 	}
 	return client.DeleteVirtualNetwork(vnetId, force)
 }
 func (sc *subcommandContext) updateVirtualNetwork(vnetId uuid.UUID, updates cfapi.UpdateVirtualNetwork) error {
 	client, err := sc.client()
 	if err != nil {
 		return errors.Wrap(err, noClientMsg)
 	}
 	return client.UpdateVirtualNetwork(vnetId, updates)
 }
--- a/cmd/cloudflared/tunnel/subcommands.go
+++ b/cmd/cloudflared/tunnel/subcommands.go
@ -2,9 +2,9 @@ package tunnel
 import (
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"regexp"
@ -19,13 +19,13 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/net/idna"
-	yaml "gopkg.in/yaml.v3"
+	yaml "gopkg.in/yaml.v2"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/tunnelstore"
 )
 const (
@ -34,7 +34,6 @@ const (
 	CredFileFlagAlias    = "cred-file"
 	CredFileFlag         = "credentials-file"
 	CredContentsFlag     = "credentials-contents"
 	TunnelTokenFlag      = "token"
 	overwriteDNSFlagName = "overwrite-dns"
 	LogFieldTunnelID = "tunnelID"
@ -65,8 +64,8 @@ var (
 		Name:        "when",
 		Aliases:     []string{"w"},
 		Usage:       "List tunnels that are active at the given `TIME` in RFC3339 format",
-		Layout:      cfapi.TimeLayout,
+		Layout:      tunnelstore.TimeLayout,
-		DefaultText: fmt.Sprintf("current time, %s", time.Now().Format(cfapi.TimeLayout)),
+		DefaultText: fmt.Sprintf("current time, %s", time.Now().Format(tunnelstore.TimeLayout)),
 	}
 	listIDFlag = &cli.StringFlag{
 		Name:    "id",
@ -94,6 +93,14 @@ var (
 		Usage:   "Inverts the sort order of the tunnel list.",
 		EnvVars: []string{"TUNNEL_LIST_INVERT_SORT"},
 	}
 	forceFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
 		Name:    "force",
 		Aliases: []string{"f"},
 		Usage: "By default, if a tunnel is currently being run from a cloudflared, you can't " +
 			"simultaneously rerun it again from a second cloudflared. The --force flag lets you " +
 			"overwrite the previous tunnel. If you want to use a single hostname with multiple " +
 			"tunnels, you can do so with Cloudflare's Load Balancer product.",
 	})
 	featuresFlag = altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
 		Name:    "features",
 		Aliases: []string{"F"},
@ -111,33 +118,21 @@ var (
 		Usage:   "Contents of the tunnel credentials JSON file to use. When provided along with credentials-file, this will take precedence.",
 		EnvVars: []string{"TUNNEL_CRED_CONTENTS"},
 	})
 	tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFlag,
 		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence.",
 		EnvVars: []string{"TUNNEL_TOKEN"},
 	})
 	forceDeleteFlag = &cli.BoolFlag{
 		Name:    "force",
 		Aliases: []string{"f"},
-		Usage: "Deletes a tunnel even if tunnel is connected and it has dependencies associated to it. (eg. IP routes)." +
+		Usage: "Cleans up any stale connections before the tunnel is deleted. cloudflared will not " +
-			" It is not possible to delete tunnels that have connections or non-deleted dependencies, without this flag.",
+			"delete a tunnel with connections without this flag.",
 		EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"},
 	}
 	selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    "protocol",
-		Value:   connection.AutoSelectFlag,
+		Value:   "auto",
 		Aliases: []string{"p"},
 		Usage:   fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage),
 		EnvVars: []string{"TUNNEL_TRANSPORT_PROTOCOL"},
 		Hidden:  true,
 	})
 	postQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
 		Name:    "post-quantum",
 		Usage:   "When given creates an experimental post-quantum secure tunnel",
 		Aliases: []string{"pq"},
 		EnvVars: []string{"TUNNEL_POST_QUANTUM"},
 		Hidden:  FipsEnabled,
 	})
 	sortInfoByFlag = &cli.StringFlag{
 		Name:    "sort-by",
 		Value:   "createdAt",
@ -161,22 +156,6 @@ var (
 		Usage:   `Overwrites existing DNS records with this hostname`,
 		EnvVars: []string{"TUNNEL_FORCE_PROVISIONING_DNS"},
 	}
 	createSecretFlag = &cli.StringFlag{
 		Name:    "secret",
 		Aliases: []string{"s"},
 		Usage:   "Base64 encoded secret to set for the tunnel. The decoded secret must be at least 32 bytes long. If not specified, a random 32-byte secret will be generated.",
 		EnvVars: []string{"TUNNEL_CREATE_SECRET"},
 	}
 	icmpv4SrcFlag = &cli.StringFlag{
 		Name:    "icmpv4-src",
 		Usage:   "Source address to send/receive ICMPv4 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to 0.0.0.0.",
 		EnvVars: []string{"TUNNEL_ICMPV4_SRC"},
 	}
 	icmpv6SrcFlag = &cli.StringFlag{
 		Name:    "icmpv6-src",
 		Usage:   "Source address and the interface name to send/receive ICMPv6 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to ::.",
 		EnvVars: []string{"TUNNEL_ICMPV6_SRC"},
 	}
 )
 func buildCreateCommand() *cli.Command {
@ -191,7 +170,7 @@ func buildCreateCommand() *cli.Command {
  For example, to create a tunnel named 'my-tunnel' run:
  $ cloudflared tunnel create my-tunnel`,
-		Flags:              []cli.Flag{outputFormatFlag, credentialsFileFlagCLIOnly, createSecretFlag},
+		Flags:              []cli.Flag{outputFormatFlag, credentialsFileFlagCLIOnly},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
@ -217,7 +196,7 @@ func createCommand(c *cli.Context) error {
 	warningChecker := updater.StartWarningCheck(c)
 	defer warningChecker.LogWarningIfAny(sc.log)
-	_, err = sc.create(name, c.String(CredFileFlag), c.String(createSecretFlag.Name))
+	_, err = sc.create(name, c.String(CredFileFlag))
 	return errors.Wrap(err, "failed to create tunnel")
 }
@ -240,7 +219,7 @@ func writeTunnelCredentials(filePath string, credentials *connection.Credentials
 	if err != nil {
 		return errors.Wrap(err, "Unable to marshal tunnel credentials to JSON")
 	}
-	return os.WriteFile(filePath, body, 0400)
+	return ioutil.WriteFile(filePath, body, 400)
 }
 func buildListCommand() *cli.Command {
@ -275,7 +254,7 @@ func listCommand(c *cli.Context) error {
 	warningChecker := updater.StartWarningCheck(c)
 	defer warningChecker.LogWarningIfAny(sc.log)
-	filter := cfapi.NewTunnelFilter()
+	filter := tunnelstore.NewFilter()
 	if !c.Bool("show-deleted") {
 		filter.NoDeleted()
 	}
@ -298,9 +277,6 @@ func listCommand(c *cli.Context) error {
 		}
 		filter.ByTunnelID(tunnelID)
 	}
 	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
 		filter.MaxFetchSize(uint(maxFetch))
 	}
 	tunnels, err := sc.list(filter)
 	if err != nil {
@ -344,13 +320,13 @@ func listCommand(c *cli.Context) error {
 	if len(tunnels) > 0 {
 		formatAndPrintTunnelList(tunnels, c.Bool("show-recently-disconnected"))
 	} else {
-		fmt.Println("No tunnels were found for the given filter flags. You can use 'cloudflared tunnel create' to create a tunnel.")
+		fmt.Println("You have no tunnels, use 'cloudflared tunnel create' to define a new tunnel")
 	}
 	return nil
 }
-func formatAndPrintTunnelList(tunnels []*cfapi.Tunnel, showRecentlyDisconnected bool) {
+func formatAndPrintTunnelList(tunnels []*tunnelstore.Tunnel, showRecentlyDisconnected bool) {
 	writer := tabWriter()
 	defer writer.Flush()
@ -372,7 +348,7 @@ func formatAndPrintTunnelList(tunnels []*cfapi.Tunnel, showRecentlyDisconnected
 	}
 }
-func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected bool) string {
+func fmtConnections(connections []tunnelstore.Connection, showRecentlyDisconnected bool) string {
 	// Count connections per colo
 	numConnsPerColo := make(map[string]uint, len(connections))
@ -492,8 +468,8 @@ func tunnelInfo(c *cli.Context) error {
 	return nil
 }
-func getTunnel(sc *subcommandContext, tunnelID uuid.UUID) (*cfapi.Tunnel, error) {
+func getTunnel(sc *subcommandContext, tunnelID uuid.UUID) (*tunnelstore.Tunnel, error) {
-	filter := cfapi.NewTunnelFilter()
+	filter := tunnelstore.NewFilter()
 	filter.ByTunnelID(tunnelID)
 	tunnels, err := sc.list(filter)
 	if err != nil {
@ -607,14 +583,11 @@ func renderOutput(format string, v interface{}) error {
 func buildRunCommand() *cli.Command {
 	flags := []cli.Flag{
 		forceFlag,
 		credentialsFileFlag,
 		credentialsContentsFlag,
 		postQuantumFlag,
 		selectProtocolFlag,
 		featuresFlag,
 		tunnelTokenFlag,
 		icmpv4SrcFlag,
 		icmpv6SrcFlag,
 	}
 	flags = append(flags, configureProxyFlags(false)...)
 	return &cli.Command{
@ -622,7 +595,7 @@ func buildRunCommand() *cli.Command {
 		Action:    cliutil.ConfiguredAction(runCommand),
 		Usage:     "Proxy a local web server by running the given tunnel",
 		UsageText: "cloudflared tunnel [tunnel command options] run [subcommand options] [TUNNEL]",
-		Description: `Runs the tunnel identified by name or UUID, creating highly available connections
+		Description: `Runs the tunnel identified by name or UUUD, creating highly available connections
  between your server and the Cloudflare edge. You can provide name or UUID of tunnel to run either as the
  last command line argument or in the configuration file using "tunnel: TUNNEL".
@ -645,6 +618,14 @@ func runCommand(c *cli.Context) error {
 	if c.NArg() > 1 {
 		return cliutil.UsageError(`"cloudflared tunnel run" accepts only one argument, the ID or name of the tunnel to run.`)
 	}
 	tunnelRef := c.Args().First()
 	if tunnelRef == "" {
 		// see if tunnel id was in the config file
 		tunnelRef = config.GetConfiguration().TunnelID
 		if tunnelRef == "" {
 			return cliutil.UsageError(`"cloudflared tunnel run" requires the ID or name of the tunnel to run as the last command line argument or in the configuration file.`)
 		}
 	}
 	if c.String("hostname") != "" {
 		sc.log.Warn().Msg("The property `hostname` in your configuration is ignored because you configured a Named Tunnel " +
@ -652,38 +633,7 @@ func runCommand(c *cli.Context) error {
 			"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.")
 	}
-	// Check if token is provided and if not use default tunnelID flag method
+	return runNamedTunnel(sc, tunnelRef)
 	if tokenStr := c.String(TunnelTokenFlag); tokenStr != "" {
 		if token, err := ParseToken(tokenStr); err == nil {
 			return sc.runWithCredentials(token.Credentials())
 		}
 		return cliutil.UsageError("Provided Tunnel token is not valid.")
 	} else {
 		tunnelRef := c.Args().First()
 		if tunnelRef == "" {
 			// see if tunnel id was in the config file
 			tunnelRef = config.GetConfiguration().TunnelID
 			if tunnelRef == "" {
 				return cliutil.UsageError(`"cloudflared tunnel run" requires the ID or name of the tunnel to run as the last command line argument or in the configuration file.`)
 			}
 		}
 		return runNamedTunnel(sc, tunnelRef)
 	}
 }
 func ParseToken(tokenStr string) (*connection.TunnelToken, error) {
 	content, err := base64.StdEncoding.DecodeString(tokenStr)
 	if err != nil {
 		return nil, err
 	}
 	var token connection.TunnelToken
 	if err := json.Unmarshal(content, &token); err != nil {
 		return nil, err
 	}
 	return &token, nil
 }
 func runNamedTunnel(sc *subcommandContext, tunnelRef string) error {
@ -691,6 +641,9 @@ func runNamedTunnel(sc *subcommandContext, tunnelRef string) error {
 	if err != nil {
 		return errors.Wrap(err, "error parsing tunnel ID")
 	}
 	sc.log.Info().Str(LogFieldTunnelID, tunnelID.String()).Msg("Starting tunnel")
 	return sc.run(tunnelID)
 }
@ -724,59 +677,6 @@ func cleanupCommand(c *cli.Context) error {
 	return sc.cleanupConnections(tunnelIDs)
 }
 func buildTokenCommand() *cli.Command {
 	return &cli.Command{
 		Name:               "token",
 		Action:             cliutil.ConfiguredAction(tokenCommand),
 		Usage:              "Fetch the credentials token for an existing tunnel (by name or UUID) that allows to run it",
 		UsageText:          "cloudflared tunnel [tunnel command options] token [subcommand options] TUNNEL",
 		Description:        "cloudflared tunnel token will fetch the credentials token for a given tunnel (by its name or UUID), which is then used to run the tunnel. This command fails if the tunnel does not exist or has been deleted. Use the flag `cloudflared tunnel token --cred-file /my/path/file.json TUNNEL` to output the token to the credentials JSON file. Note: this command only works for Tunnels created since cloudflared version 2022.3.0",
 		Flags:              []cli.Flag{credentialsFileFlagCLIOnly},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func tokenCommand(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return errors.Wrap(err, "error setting up logger")
 	}
 	warningChecker := updater.StartWarningCheck(c)
 	defer warningChecker.LogWarningIfAny(sc.log)
 	if c.NArg() != 1 {
 		return cliutil.UsageError(`"cloudflared tunnel token" requires exactly 1 argument, the name or UUID of tunnel to fetch the credentials token for.`)
 	}
 	tunnelID, err := sc.findID(c.Args().First())
 	if err != nil {
 		return errors.Wrap(err, "error parsing tunnel ID")
 	}
 	token, err := sc.getTunnelTokenCredentials(tunnelID)
 	if err != nil {
 		return err
 	}
 	if path := c.String(CredFileFlag); path != "" {
 		credentials := token.Credentials()
 		err := writeTunnelCredentials(path, &credentials)
 		if err != nil {
 			return errors.Wrapf(err, "error writing token credentials to JSON file in path %s", path)
 		}
 		return nil
 	}
 	encodedToken, err := token.Encode()
 	if err != nil {
 		return err
 	}
 	fmt.Println(encodedToken)
 	return nil
 }
 func buildRouteCommand() *cli.Command {
 	return &cli.Command{
 		Name:      "route",
@ -802,7 +702,7 @@ Further information about managing Cloudflare WARP traffic to your tunnel is ava
 			{
 				Name:        "dns",
 				Action:      cliutil.ConfiguredAction(routeDnsCommand),
-				Usage:       "HostnameRoute a hostname by creating a DNS CNAME record to a tunnel",
+				Usage:       "Route a hostname by creating a DNS CNAME record to a tunnel",
 				UsageText:   "cloudflared tunnel route dns [TUNNEL] [HOSTNAME]",
 				Description: `Creates a DNS CNAME record hostname that points to the tunnel.`,
 				Flags:       []cli.Flag{overwriteDNSFlag},
@ -811,7 +711,7 @@ Further information about managing Cloudflare WARP traffic to your tunnel is ava
 				Name:        "lb",
 				Action:      cliutil.ConfiguredAction(routeLbCommand),
 				Usage:       "Use this tunnel as a load balancer origin, creating pool and load balancer if necessary",
-				UsageText:   "cloudflared tunnel route lb [TUNNEL] [HOSTNAME] [LB-POOL-NAME]",
+				UsageText:   "cloudflared tunnel route dns [TUNNEL] [HOSTNAME] [LB-POOL]",
 				Description: `Creates Load Balancer with an origin pool that points to the tunnel.`,
 			},
 			buildRouteIPSubcommand(),
@ -819,7 +719,7 @@ Further information about managing Cloudflare WARP traffic to your tunnel is ava
 	}
 }
-func dnsRouteFromArg(c *cli.Context, overwriteExisting bool) (cfapi.HostnameRoute, error) {
+func dnsRouteFromArg(c *cli.Context, overwriteExisting bool) (tunnelstore.Route, error) {
 	const (
 		userHostnameIndex = 1
 		expectedNArgs     = 2
@ -833,10 +733,10 @@ func dnsRouteFromArg(c *cli.Context, overwriteExisting bool) (cfapi.HostnameRout
 	} else if !validateHostname(userHostname, true) {
 		return nil, errors.Errorf("%s is not a valid hostname", userHostname)
 	}
-	return cfapi.NewDNSRoute(userHostname, overwriteExisting), nil
+	return tunnelstore.NewDNSRoute(userHostname, overwriteExisting), nil
 }
-func lbRouteFromArg(c *cli.Context) (cfapi.HostnameRoute, error) {
+func lbRouteFromArg(c *cli.Context) (tunnelstore.Route, error) {
 	const (
 		lbNameIndex   = 1
 		lbPoolIndex   = 2
@ -859,7 +759,7 @@ func lbRouteFromArg(c *cli.Context) (cfapi.HostnameRoute, error) {
 		return nil, errors.Errorf("%s is not a valid pool name", lbPool)
 	}
-	return cfapi.NewLBRoute(lbName, lbPool), nil
+	return tunnelstore.NewLBRoute(lbName, lbPool), nil
 }
 var nameRegex = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
@ -906,7 +806,7 @@ func routeCommand(c *cli.Context, routeType string) error {
 	if err != nil {
 		return err
 	}
-	var route cfapi.HostnameRoute
+	var route tunnelstore.Route
 	switch routeType {
 	case "dns":
 		route, err = dnsRouteFromArg(c, c.Bool(overwriteDNSFlagName))
@ -931,7 +831,7 @@ func commandHelpTemplate() string {
 	for _, f := range configureCloudflaredFlags(false) {
 		parentFlagsHelp += fmt.Sprintf(" %s\n\t", f)
 	}
-	for _, f := range cliutil.ConfigureLoggingFlags(false) {
+	for _, f := range configureLoggingFlags(false) {
 		parentFlagsHelp += fmt.Sprintf(" %s\n\t", f)
 	}
 	const template = `NAME:
--- a/cmd/cloudflared/tunnel/subcommands_test.go
+++ b/cmd/cloudflared/tunnel/subcommands_test.go
@ -1,23 +1,19 @@
 package tunnel
 import (
 	"encoding/base64"
 	"encoding/json"
 	"path/filepath"
 	"testing"
 	"github.com/google/uuid"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/cloudflare/cloudflared/cfapi"
+	"github.com/cloudflare/cloudflared/tunnelstore"
 	"github.com/cloudflare/cloudflared/connection"
 )
 func Test_fmtConnections(t *testing.T) {
 	type args struct {
-		connections []cfapi.Connection
+		connections []tunnelstore.Connection
 	}
 	tests := []struct {
 		name string
@ -27,14 +23,14 @@ func Test_fmtConnections(t *testing.T) {
 		{
 			name: "empty",
 			args: args{
-				connections: []cfapi.Connection{},
+				connections: []tunnelstore.Connection{},
 			},
 			want: "",
 		},
 		{
 			name: "trivial",
 			args: args{
-				connections: []cfapi.Connection{
+				connections: []tunnelstore.Connection{
 					{
 						ColoName: "DFW",
 						ID:       uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
@ -46,7 +42,7 @@ func Test_fmtConnections(t *testing.T) {
 		{
 			name: "with a pending reconnect",
 			args: args{
-				connections: []cfapi.Connection{
+				connections: []tunnelstore.Connection{
 					{
 						ColoName:           "DFW",
 						ID:                 uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
@ -59,7 +55,7 @@ func Test_fmtConnections(t *testing.T) {
 		{
 			name: "many colos",
 			args: args{
-				connections: []cfapi.Connection{
+				connections: []tunnelstore.Connection{
 					{
 						ColoName: "YRV",
 						ID:       uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
@ -181,24 +177,3 @@ func Test_validateHostname(t *testing.T) {
 		})
 	}
 }
 func Test_TunnelToken(t *testing.T) {
 	token, err := ParseToken("aabc")
 	require.Error(t, err)
 	require.Nil(t, token)
 	expectedToken := &connection.TunnelToken{
 		AccountTag:   "abc",
 		TunnelSecret: []byte("secret"),
 		TunnelID:     uuid.New(),
 	}
 	tokenJsonStr, err := json.Marshal(expectedToken)
 	require.NoError(t, err)
 	token64 := base64.StdEncoding.EncodeToString(tokenJsonStr)
 	token, err = ParseToken(token64)
 	require.NoError(t, err)
 	require.Equal(t, token, expectedToken)
 }
--- a/cmd/cloudflared/tunnel/tag.go
+++ b/cmd/cloudflared/tunnel/tag.go
@ -4,23 +4,23 @@ import (
 	"fmt"
 	"regexp"
-	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 // Restrict key names to characters allowed in an HTTP header name.
 // Restrict key values to printable characters (what is recognised as data in an HTTP header value).
 var tagRegexp = regexp.MustCompile("^([a-zA-Z0-9!#$%&'*+\\-.^_`|~]+)=([[:print:]]+)$")
-func NewTagFromCLI(compoundTag string) (pogs.Tag, bool) {
+func NewTagFromCLI(compoundTag string) (tunnelpogs.Tag, bool) {
 	matches := tagRegexp.FindStringSubmatch(compoundTag)
 	if len(matches) == 0 {
-		return pogs.Tag{}, false
+		return tunnelpogs.Tag{}, false
 	}
-	return pogs.Tag{Name: matches[1], Value: matches[2]}, true
+	return tunnelpogs.Tag{Name: matches[1], Value: matches[2]}, true
 }
-func NewTagSliceFromCLI(tags []string) ([]pogs.Tag, error) {
+func NewTagSliceFromCLI(tags []string) ([]tunnelpogs.Tag, error) {
-	var tagSlice []pogs.Tag
+	var tagSlice []tunnelpogs.Tag
 	for _, compoundTag := range tags {
 		if tag, ok := NewTagFromCLI(compoundTag); ok {
 			tagSlice = append(tagSlice, tag)
--- a/cmd/cloudflared/tunnel/tag_test.go
+++ b/cmd/cloudflared/tunnel/tag_test.go
@ -3,7 +3,7 @@ package tunnel
 import (
 	"testing"
-	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 	"github.com/stretchr/testify/assert"
 )
@ -11,12 +11,12 @@ import (
 func TestSingleTag(t *testing.T) {
 	testCases := []struct {
 		Input  string
-		Output pogs.Tag
+		Output tunnelpogs.Tag
 		Fail   bool
 	}{
-		{Input: "x=y", Output: pogs.Tag{Name: "x", Value: "y"}},
+		{Input: "x=y", Output: tunnelpogs.Tag{Name: "x", Value: "y"}},
-		{Input: "More-Complex=Tag Values", Output: pogs.Tag{Name: "More-Complex", Value: "Tag Values"}},
+		{Input: "More-Complex=Tag Values", Output: tunnelpogs.Tag{Name: "More-Complex", Value: "Tag Values"}},
-		{Input: "First=Equals=Wins", Output: pogs.Tag{Name: "First", Value: "Equals=Wins"}},
+		{Input: "First=Equals=Wins", Output: tunnelpogs.Tag{Name: "First", Value: "Equals=Wins"}},
 		{Input: "x=", Fail: true},
 		{Input: "=y", Fail: true},
 		{Input: "=", Fail: true},
--- a/cmd/cloudflared/tunnel/teamnet_subcommands.go
+++ b/cmd/cloudflared/tunnel/teamnet_subcommands.go
@ -6,56 +6,35 @@ import (
 	"os"
 	"text/tabwriter"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
-)
+	"github.com/cloudflare/cloudflared/teamnet"
-var (
+	"github.com/urfave/cli/v2"
 	vnetFlag = &cli.StringFlag{
 		Name:    "vnet",
 		Aliases: []string{"vn"},
 		Usage:   "The ID or name of the virtual network to which the route is associated to.",
 	}
 	routeAddError = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
 )
 func buildRouteIPSubcommand() *cli.Command {
 	return &cli.Command{
 		Name:      "ip",
-		Usage:     "Configure and query Cloudflare WARP routing to private IP networks made available through Cloudflare Tunnels.",
+		Usage:     "Configure and query Cloudflare WARP routing to services or private networks available through this tunnel.",
 		UsageText: "cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]",
-		Description: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in
+		Description: `cloudflared can provision private routes from any IP space to origins in your corporate network.
-your Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP
+Users enrolled in your Cloudflare for Teams organization can reach those routes through the
-client. You can then configure L7/L4 filtering on https://dash.teams.cloudflare.com to
+Cloudflare WARP client. You can also build rules to determine who can reach certain routes.`,
 determine who can reach certain routes.
 By default IP routes all exist within a single virtual network. If you use the same IP
 space(s) in different physical private networks, all meant to be reachable via IP routes,
 then you have to manage the ambiguous IP routes by associating them to virtual networks.
 See "cloudflared tunnel vnet --help" for more information.`,
 		Subcommands: []*cli.Command{
 			{
 				Name:      "add",
 				Action:    cliutil.ConfiguredAction(addRouteCommand),
-				Usage:     "Add a new network to the routing table reachable via a Tunnel",
+				Usage:     "Add any new network to the routing table reachable via the tunnel",
-				UsageText: "cloudflared tunnel [--config FILEPATH] route ip add [flags] [CIDR] [TUNNEL] [COMMENT?]",
+				UsageText: "cloudflared tunnel [--config FILEPATH] route ip add [CIDR] [TUNNEL] [COMMENT?]",
-				Description: `Adds a network IP route space (represented as a CIDR) to your routing table.
+				Description: `Adds any network route space (represented as a CIDR) to your routing table.
-That network IP space becomes reachable for requests egressing from a user's machine
+That network space becomes reachable for requests egressing from a user's machine
 as long as it is using Cloudflare WARP client and is enrolled in the same account
-that is running the Tunnel chosen here. Further, those requests will be proxied to
+that is running the tunnel chosen here. Further, those requests will be proxied to
-the specified Tunnel, and reach an IP in the given CIDR, as long as that IP is
+the specified tunnel, and reach an IP in the given CIDR, as long as that IP is
-reachable from cloudflared.
+reachable from the tunnel.`,
 If the CIDR exists in more than one private network, to be connected with Cloudflare
 Tunnels, then you have to manage those IP routes with virtual networks (see
 "cloudflared tunnel vnet --help)". In those cases, you then have to tell
 which virtual network's routing table you want to add the route to with:
 "cloudflared tunnel route ip add --vnet [ID/name] [CIDR] [TUNNEL]".`,
 				Flags: []cli.Flag{vnetFlag},
 			},
 			{
 				Name:        "show",
@ -70,20 +49,17 @@ which virtual network's routing table you want to add the route to with:
 				Name:      "delete",
 				Action:    cliutil.ConfiguredAction(deleteRouteCommand),
 				Usage:     "Delete a row from your organization's private routing table",
-				UsageText: "cloudflared tunnel [--config FILEPATH] route ip delete [flags] [Route ID or CIDR]",
+				UsageText: "cloudflared tunnel [--config FILEPATH] route ip delete [CIDR]",
-				Description: `Deletes the row for the given route ID from your routing table. That portion of your network
+				Description: `Deletes the row for a given CIDR from your routing table. That portion
-will no longer be reachable.`,
+of your network will no longer be reachable by the WARP clients.`,
 				Flags: []cli.Flag{vnetFlag},
 			},
 			{
 				Name:      "get",
 				Action:    cliutil.ConfiguredAction(getRouteByIPCommand),
 				Usage:     "Check which row of the routing table matches a given IP.",
-				UsageText: "cloudflared tunnel [--config FILEPATH] route ip get [flags] [IP]",
+				UsageText: "cloudflared tunnel [--config FILEPATH] route ip get [IP]",
-				Description: `Checks which row of the routing table will be used to proxy a given IP. This helps check
+				Description: `Checks which row of the routing table will be used to proxy a given IP.
-and validate your config. Note that if you use virtual networks, then you have
+				This helps check and validate your config.`,
 to tell which virtual network whose routing table you want to use.`,
 				Flags: []cli.Flag{vnetFlag},
 			},
 		},
 	}
@ -91,7 +67,7 @@ to tell which virtual network whose routing table you want to use.`,
 func showRoutesFlags() []cli.Flag {
 	flags := make([]cli.Flag, 0)
-	flags = append(flags, cfapi.IpRouteFilterFlags...)
+	flags = append(flags, teamnet.FilterFlags...)
 	flags = append(flags, outputFormatFlag)
 	return flags
 }
@ -102,7 +78,7 @@ func showRoutesCommand(c *cli.Context) error {
 		return err
 	}
-	filter, err := cfapi.NewIpRouteFilterFromCLI(c)
+	filter, err := teamnet.NewFromCLI(c)
 	if err != nil {
 		return errors.Wrap(err, "invalid config for routing filters")
 	}
@ -122,7 +98,7 @@ func showRoutesCommand(c *cli.Context) error {
 	if len(routes) > 0 {
 		formatAndPrintRouteList(routes)
 	} else {
-		fmt.Println("No routes were found for the given filter flags. You can use 'cloudflared tunnel route ip add' to add a route.")
+		fmt.Println("You have no routes, use 'cloudflared tunnel route ip add' to add a route")
 	}
 	return nil
@ -136,9 +112,7 @@ func addRouteCommand(c *cli.Context) error {
 	if c.NArg() < 2 {
 		return errors.New("You must supply at least 2 arguments, first the network you wish to route (in CIDR form e.g. 1.2.3.4/32) and then the tunnel ID to proxy with")
 	}
 	args := c.Args()
 	_, network, err := net.ParseCIDR(args.Get(0))
 	if err != nil {
 		return errors.Wrap(err, "Invalid network CIDR")
@ -146,32 +120,19 @@ func addRouteCommand(c *cli.Context) error {
 	if network == nil {
 		return errors.New("Invalid network CIDR")
 	}
 	tunnelRef := args.Get(1)
 	tunnelID, err := sc.findID(tunnelRef)
 	if err != nil {
 		return errors.Wrap(err, "Invalid tunnel")
 	}
 	comment := ""
 	if c.NArg() >= 3 {
 		comment = args.Get(2)
 	}
-
+	_, err = sc.addRoute(teamnet.NewRoute{
 	var vnetId *uuid.UUID
 	if c.IsSet(vnetFlag.Name) {
 		id, err := getVnetId(sc, c.String(vnetFlag.Name))
 		if err != nil {
 			return err
 		}
 		vnetId = &id
 	}
 	_, err = sc.addRoute(cfapi.NewRoute{
 		Comment:  comment,
 		Network:  *network,
 		TunnelID: tunnelID,
 		VNetID:   vnetId,
 	})
 	if err != nil {
 		return errors.Wrap(err, "API error")
@ -185,38 +146,20 @@ func deleteRouteCommand(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
 	if c.NArg() != 1 {
-		return routeAddError
+		return errors.New("You must supply exactly one argument, the network whose route you want to delete (in CIDR form e.g. 1.2.3.4/32)")
 	}
-
+	_, network, err := net.ParseCIDR(c.Args().First())
 	var routeId uuid.UUID
 	routeId, err = uuid.Parse(c.Args().First())
 	if err != nil {
-		_, network, err := net.ParseCIDR(c.Args().First())
+		return errors.Wrap(err, "Invalid network CIDR")
 		if err != nil || network == nil {
 			return routeAddError
 		}
 		var vnetId *uuid.UUID
 		if c.IsSet(vnetFlag.Name) {
 			id, err := getVnetId(sc, c.String(vnetFlag.Name))
 			if err != nil {
 				return err
 			}
 			vnetId = &id
 		}
 		routeId, err = sc.getRouteId(*network, vnetId)
 		if err != nil {
 			return err
 		}
 	}
-
+	if network == nil {
-	if err := sc.deleteRoute(routeId); err != nil {
+		return errors.New("Invalid network CIDR")
 	}
 	if err := sc.deleteRoute(*network); err != nil {
 		return errors.Wrap(err, "API error")
 	}
-	fmt.Printf("Successfully deleted route with ID %s\n", routeId)
+	fmt.Printf("Successfully deleted route for %s\n", network)
 	return nil
 }
@ -234,32 +177,19 @@ func getRouteByIPCommand(c *cli.Context) error {
 	if ip == nil {
 		return fmt.Errorf("Invalid IP %s", ipInput)
 	}
-
+	route, err := sc.getRouteByIP(ip)
 	params := cfapi.GetRouteByIpParams{
 		Ip: ip,
 	}
 	if c.IsSet(vnetFlag.Name) {
 		vnetId, err := getVnetId(sc, c.String(vnetFlag.Name))
 		if err != nil {
 			return err
 		}
 		params.VNetID = &vnetId
 	}
 	route, err := sc.getRouteByIP(params)
 	if err != nil {
 		return errors.Wrap(err, "API error")
 	}
 	if route.IsZero() {
 		fmt.Printf("No route matches the IP %s\n", ip)
 	} else {
-		formatAndPrintRouteList([]*cfapi.DetailedRoute{&route})
+		formatAndPrintRouteList([]*teamnet.DetailedRoute{&route})
 	}
 	return nil
 }
-func formatAndPrintRouteList(routes []*cfapi.DetailedRoute) {
+func formatAndPrintRouteList(routes []*teamnet.DetailedRoute) {
 	const (
 		minWidth = 0
 		tabWidth = 8
@ -272,7 +202,7 @@ func formatAndPrintRouteList(routes []*cfapi.DetailedRoute) {
 	defer writer.Flush()
 	// Print column headers with tabbed columns
-	_, _ = fmt.Fprintln(writer, "ID\tNETWORK\tVIRTUAL NET ID\tCOMMENT\tTUNNEL ID\tTUNNEL NAME\tCREATED\tDELETED\t")
+	_, _ = fmt.Fprintln(writer, "NETWORK\tCOMMENT\tTUNNEL ID\tTUNNEL NAME\tCREATED\tDELETED\t")
 	// Loop through routes, create formatted string for each, and print using tabwriter
 	for _, route := range routes {
--- a/cmd/cloudflared/tunnel/vnets_subcommands.go
+++ b/cmd/cloudflared/tunnel/vnets_subcommands.go
@ -1,297 +0,0 @@
 package tunnel
 import (
 	"fmt"
 	"os"
 	"text/tabwriter"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 )
 var (
 	makeDefaultFlag = &cli.BoolFlag{
 		Name:    "default",
 		Aliases: []string{"d"},
 		Usage: "The virtual network becomes the default one for the account. This means that all operations that " +
 			"omit a virtual network will now implicitly be using this virtual network (i.e., the default one) such " +
 			"as new IP routes that are created. When this flag is not set, the virtual network will not become the " +
 			"default one in the account.",
 	}
 	newNameFlag = &cli.StringFlag{
 		Name:    "name",
 		Aliases: []string{"n"},
 		Usage:   "The new name for the virtual network.",
 	}
 	newCommentFlag = &cli.StringFlag{
 		Name:    "comment",
 		Aliases: []string{"c"},
 		Usage:   "A new comment describing the purpose of the virtual network.",
 	}
 	vnetForceDeleteFlag = &cli.BoolFlag{
 		Name:    "force",
 		Aliases: []string{"f"},
 		Usage: "Force the deletion of the virtual network even if it is being relied upon by other resources. Those" +
 			"resources will either be deleted (e.g. IP Routes) or moved to the current default virutal network.",
 	}
 )
 func buildVirtualNetworkSubcommand(hidden bool) *cli.Command {
 	return &cli.Command{
 		Name:      "vnet",
 		Usage:     "Configure and query virtual networks to manage private IP routes with overlapping IPs.",
 		UsageText: "cloudflared tunnel [--config FILEPATH] network COMMAND [arguments...]",
 		Description: `cloudflared allows to manage IP routes that expose origins in your private network space via their IP directly
 to clients outside (e.g. using WARP client) --- those are configurable via "cloudflared tunnel route ip" commands.
 By default, all those IP routes live in the same virtual network. Managing virtual networks (e.g. by creating a
 new one) becomes relevant when you have different private networks that have overlapping IPs. E.g.: if you have
 a private network A running Tunnel 1, and private network B running Tunnel 2, it is possible that both Tunnels
 expose the same IP space (say 10.0.0.0/8); to handle that, you have to add each IP Route (one that points to
 Tunnel 1 and another that points to Tunnel 2) in different Virtual Networks. That way, if your clients are on
 Virtual Network X, they will see Tunnel 1 (via Route A) and not see Tunnel 2 (since its Route B is associated
 to another Virtual Network Y).`,
 		Hidden: hidden,
 		Subcommands: []*cli.Command{
 			{
 				Name:      "add",
 				Action:    cliutil.ConfiguredAction(addVirtualNetworkCommand),
 				Usage:     "Add a new virtual network to which IP routes can be attached",
 				UsageText: "cloudflared tunnel [--config FILEPATH] network add [flags] NAME [\"comment\"]",
 				Description: `Adds a new virtual network. You can then attach IP routes to this virtual network with "cloudflared tunnel route ip"
 commands. By doing so, such route(s) become segregated from route(s) in another virtual networks. Note that all
 routes exist within some virtual network. If you do not specify any, then the system pre-creates a default virtual
 network to which all routes belong. That is fine if you do not have overlapping IPs within different physical
 private networks in your infrastructure exposed via Cloudflare Tunnel. Note: if a virtual network is added as
 the new default, then the previous existing default virtual network will be automatically modified to no longer
 be the current default.`,
 				Flags:  []cli.Flag{makeDefaultFlag},
 				Hidden: hidden,
 			},
 			{
 				Name:        "list",
 				Action:      cliutil.ConfiguredAction(listVirtualNetworksCommand),
 				Usage:       "Lists the virtual networks",
 				UsageText:   "cloudflared tunnel [--config FILEPATH] network list [flags]",
 				Description: "Lists the virtual networks based on the given filter flags.",
 				Flags:       listVirtualNetworksFlags(),
 				Hidden:      hidden,
 			},
 			{
 				Name:      "delete",
 				Action:    cliutil.ConfiguredAction(deleteVirtualNetworkCommand),
 				Usage:     "Delete a virtual network",
 				UsageText: "cloudflared tunnel [--config FILEPATH] network delete VIRTUAL_NETWORK",
 				Description: `Deletes the virtual network (given its ID or name). This is only possible if that virtual network is unused. 
 A virtual network may be used by IP routes or by WARP devices.`,
 				Flags:  []cli.Flag{vnetForceDeleteFlag},
 				Hidden: hidden,
 			},
 			{
 				Name:      "update",
 				Action:    cliutil.ConfiguredAction(updateVirtualNetworkCommand),
 				Usage:     "Update a virtual network",
 				UsageText: "cloudflared tunnel [--config FILEPATH] network update [flags] VIRTUAL_NETWORK",
 				Description: `Updates the virtual network (given its ID or name). If this virtual network is updated to become the new
 default, then the previously existing default virtual network will also be modified to no longer be the default.
 You cannot update a virtual network to not be the default anymore directly. Instead, you should create a new
 default or update an existing one to become the default.`,
 				Flags:  []cli.Flag{newNameFlag, newCommentFlag, makeDefaultFlag},
 				Hidden: hidden,
 			},
 		},
 	}
 }
 func listVirtualNetworksFlags() []cli.Flag {
 	flags := make([]cli.Flag, 0)
 	flags = append(flags, cfapi.VnetFilterFlags...)
 	flags = append(flags, outputFormatFlag)
 	return flags
 }
 func addVirtualNetworkCommand(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return err
 	}
 	if c.NArg() < 1 {
 		return errors.New("You must supply at least 1 argument, the name of the virtual network you wish to add.")
 	}
 	warningChecker := updater.StartWarningCheck(c)
 	defer warningChecker.LogWarningIfAny(sc.log)
 	args := c.Args()
 	name := args.Get(0)
 	comment := ""
 	if c.NArg() >= 2 {
 		comment = args.Get(1)
 	}
 	newVnet := cfapi.NewVirtualNetwork{
 		Name:      name,
 		Comment:   comment,
 		IsDefault: c.Bool(makeDefaultFlag.Name),
 	}
 	createdVnet, err := sc.addVirtualNetwork(newVnet)
 	if err != nil {
 		return errors.Wrap(err, "Could not add virtual network")
 	}
 	extraMsg := ""
 	if createdVnet.IsDefault {
 		extraMsg = " (as the new default for this account) "
 	}
 	fmt.Printf(
 		"Successfully added virtual 'network' %s with ID: %s%s\n"+
 			"You can now add IP routes attached to this virtual network. See `cloudflared tunnel route ip add -help`\n",
 		name, createdVnet.ID, extraMsg,
 	)
 	return nil
 }
 func listVirtualNetworksCommand(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return err
 	}
 	warningChecker := updater.StartWarningCheck(c)
 	defer warningChecker.LogWarningIfAny(sc.log)
 	filter, err := cfapi.NewFromCLI(c)
 	if err != nil {
 		return errors.Wrap(err, "invalid flags for filtering virtual networks")
 	}
 	vnets, err := sc.listVirtualNetworks(filter)
 	if err != nil {
 		return err
 	}
 	if outputFormat := c.String(outputFormatFlag.Name); outputFormat != "" {
 		return renderOutput(outputFormat, vnets)
 	}
 	if len(vnets) > 0 {
 		formatAndPrintVnetsList(vnets)
 	} else {
 		fmt.Println("No virtual networks were found for the given filter flags. You can use 'cloudflared tunnel vnet add' to add a virtual network.")
 	}
 	return nil
 }
 func deleteVirtualNetworkCommand(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return err
 	}
 	if c.NArg() < 1 {
 		return errors.New("You must supply exactly one argument, either the ID or name of the virtual network to delete")
 	}
 	input := c.Args().Get(0)
 	vnetId, err := getVnetId(sc, input)
 	if err != nil {
 		return err
 	}
 	forceDelete := false
 	if c.IsSet(vnetForceDeleteFlag.Name) {
 		forceDelete = c.Bool(vnetForceDeleteFlag.Name)
 	}
 	if err := sc.deleteVirtualNetwork(vnetId, forceDelete); err != nil {
 		return errors.Wrap(err, "API error")
 	}
 	fmt.Printf("Successfully deleted virtual network '%s'\n", input)
 	return nil
 }
 func updateVirtualNetworkCommand(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return err
 	}
 	if c.NArg() != 1 {
 		return errors.New(" You must supply exactly one argument, either the ID or (current) name of the virtual network to update")
 	}
 	input := c.Args().Get(0)
 	vnetId, err := getVnetId(sc, input)
 	if err != nil {
 		return err
 	}
 	updates := cfapi.UpdateVirtualNetwork{}
 	if c.IsSet(newNameFlag.Name) {
 		newName := c.String(newNameFlag.Name)
 		updates.Name = &newName
 	}
 	if c.IsSet(newCommentFlag.Name) {
 		newComment := c.String(newCommentFlag.Name)
 		updates.Comment = &newComment
 	}
 	if c.IsSet(makeDefaultFlag.Name) {
 		isDefault := c.Bool(makeDefaultFlag.Name)
 		updates.IsDefault = &isDefault
 	}
 	if err := sc.updateVirtualNetwork(vnetId, updates); err != nil {
 		return errors.Wrap(err, "API error")
 	}
 	fmt.Printf("Successfully updated virtual network '%s'\n", input)
 	return nil
 }
 func getVnetId(sc *subcommandContext, input string) (uuid.UUID, error) {
 	val, err := uuid.Parse(input)
 	if err == nil {
 		return val, nil
 	}
 	filter := cfapi.NewVnetFilter()
 	filter.WithDeleted(false)
 	filter.ByName(input)
 	vnets, err := sc.listVirtualNetworks(filter)
 	if err != nil {
 		return uuid.Nil, err
 	}
 	if len(vnets) != 1 {
 		return uuid.Nil, fmt.Errorf("there should only be 1 non-deleted virtual network named %s", input)
 	}
 	return vnets[0].ID, nil
 }
 func formatAndPrintVnetsList(vnets []*cfapi.VirtualNetwork) {
 	const (
 		minWidth = 0
 		tabWidth = 8
 		padding  = 1
 		padChar  = ' '
 		flags    = 0
 	)
 	writer := tabwriter.NewWriter(os.Stdout, minWidth, tabWidth, padding, padChar, flags)
 	defer writer.Flush()
 	_, _ = fmt.Fprintln(writer, "ID\tNAME\tIS DEFAULT\tCOMMENT\tCREATED\tDELETED\t")
 	for _, virtualNetwork := range vnets {
 		formattedStr := virtualNetwork.TableString()
 		_, _ = fmt.Fprintln(writer, formattedStr)
 	}
 }
--- a/cmd/cloudflared/ui/launch_ui.go
+++ b/cmd/cloudflared/ui/launch_ui.go
@ -0,0 +1,223 @@
 package ui
 import (
 	"context"
 	"fmt"
 	"strings"
 	"github.com/gdamore/tcell"
 	"github.com/rivo/tview"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/ingress"
 )
 type connState struct {
 	location string
 }
 type uiModel struct {
 	version       string
 	edgeURL       string
 	metricsURL    string
 	localServices []string
 	connections   []connState
 }
 type palette struct {
 	url          string
 	connected    string
 	defaultText  string
 	disconnected string
 	reconnecting string
 	unregistered string
 }
 func NewUIModel(version, hostname, metricsURL string, ing *ingress.Ingress, haConnections int) *uiModel {
 	localServices := make([]string, len(ing.Rules))
 	for i, rule := range ing.Rules {
 		localServices[i] = rule.Service.String()
 	}
 	return &uiModel{
 		version:       version,
 		edgeURL:       hostname,
 		metricsURL:    metricsURL,
 		localServices: localServices,
 		connections:   make([]connState, haConnections),
 	}
 }
 func (data *uiModel) Launch(
 	ctx context.Context,
 	log, transportLog *zerolog.Logger,
 ) connection.EventSink {
 	// Configure the logger to stream logs into the textview
 	// Add TextView as a group to write output to
 	logTextView := NewDynamicColorTextView()
 	// TODO: Format log for UI
 	//log.Add(logTextView, logger.NewUIFormatter(time.RFC3339), logLevels...)
 	//transportLog.Add(logTextView, logger.NewUIFormatter(time.RFC3339), logLevels...)
 	// Construct the UI
 	palette := palette{
 		url:          "lightblue",
 		connected:    "lime",
 		defaultText:  "white",
 		disconnected: "red",
 		reconnecting: "orange",
 		unregistered: "orange",
 	}
 	app := tview.NewApplication()
 	grid := tview.NewGrid().SetGap(1, 0)
 	frame := tview.NewFrame(grid)
 	header := fmt.Sprintf("cloudflared [::b]%s", data.version)
 	frame.AddText(header, true, tview.AlignLeft, tcell.ColorWhite)
 	// Create table to store connection info and status
 	connTable := tview.NewTable()
 	// SetColumns takes a value for each column, representing the size of the column
 	// Numbers <= 0 represent proportional widths and positive numbers represent absolute widths
 	grid.SetColumns(20, 0)
 	// SetRows takes a value for each row, representing the size of the row
 	grid.SetRows(1, 1, len(data.connections), 1, 0)
 	// AddItem takes a primitive tview type, row, column, rowSpan, columnSpan, minGridHeight, minGridWidth, and focus
 	grid.AddItem(tview.NewTextView().SetText("Tunnel:"), 0, 0, 1, 1, 0, 0, false)
 	grid.AddItem(tview.NewTextView().SetText("Status:"), 1, 0, 1, 1, 0, 0, false)
 	grid.AddItem(tview.NewTextView().SetText("Connections:"), 2, 0, 1, 1, 0, 0, false)
 	grid.AddItem(tview.NewTextView().SetText("Metrics:"), 3, 0, 1, 1, 0, 0, false)
 	tunnelHostText := tview.NewTextView().SetText(data.edgeURL)
 	grid.AddItem(tunnelHostText, 0, 1, 1, 1, 0, 0, false)
 	status := fmt.Sprintf("[%s]\u2022[%s] Proxying to [%s::b]%s", palette.connected, palette.defaultText, palette.url, strings.Join(data.localServices, ", "))
 	grid.AddItem(NewDynamicColorTextView().SetText(status), 1, 1, 1, 1, 0, 0, false)
 	grid.AddItem(connTable, 2, 1, 1, 1, 0, 0, false)
 	grid.AddItem(NewDynamicColorTextView().SetText(fmt.Sprintf("Metrics at [%s::b]http://%s/metrics", palette.url, data.metricsURL)), 3, 1, 1, 1, 0, 0, false)
 	// Add TextView to stream logs
 	// Logs are displayed in a new grid so a border can be set around them
 	logGrid := tview.NewGrid().SetBorders(true).AddItem(logTextView.SetChangedFunc(handleNewText(app, logTextView)), 0, 0, 5, 2, 0, 0, false)
 	// LogFrame holds the Logs header as well as the grid with the textView for streamed logs
 	logFrame := tview.NewFrame(logGrid).AddText("[::b]Logs:[::-]", true, tview.AlignLeft, tcell.ColorWhite).SetBorders(0, 0, 0, 0, 0, 0)
 	// Footer for log frame
 	logFrame.AddText("[::d]Use Ctrl+C to exit[::-]", false, tview.AlignRight, tcell.ColorWhite)
 	grid.AddItem(logFrame, 4, 0, 5, 2, 0, 0, false)
 	go func() {
 		<-ctx.Done()
 		app.Stop()
 		return
 	}()
 	go func() {
 		if err := app.SetRoot(frame, true).Run(); err != nil {
 			log.Error().Msgf("Error launching UI: %s", err)
 		}
 	}()
 	return connection.EventSinkFunc(func(event connection.Event) {
 		switch event.EventType {
 		case connection.Connected:
 			data.setConnTableCell(event, connTable, palette)
 		case connection.Disconnected, connection.Reconnecting, connection.Unregistering:
 			data.changeConnStatus(event, connTable, log, palette)
 		case connection.SetURL:
 			tunnelHostText.SetText(event.URL)
 			data.edgeURL = event.URL
 		case connection.RegisteringTunnel:
 			if data.edgeURL == "" {
 				tunnelHostText.SetText(fmt.Sprintf("Registering tunnel connection %d...", event.Index))
 			}
 		}
 		app.Draw()
 	})
 }
 func NewDynamicColorTextView() *tview.TextView {
 	return tview.NewTextView().SetDynamicColors(true)
 }
 // Re-draws application when new logs are streamed to UI
 func handleNewText(app *tview.Application, logTextView *tview.TextView) func() {
 	return func() {
 		app.Draw()
 		// SetFocus to enable scrolling in textview
 		app.SetFocus(logTextView)
 	}
 }
 func (data *uiModel) changeConnStatus(event connection.Event, table *tview.Table, log *zerolog.Logger, palette palette) {
 	index := int(event.Index)
 	// Get connection location and state
 	connState := data.getConnState(index)
 	// Check if connection is already displayed in UI
 	if connState == nil {
 		log.Info().Msg("Connection is not in the UI table")
 		return
 	}
 	locationState := event.Location
 	if event.EventType == connection.Reconnecting {
 		locationState = "Reconnecting..."
 	}
 	connectionNum := index + 1
 	// Get table cell
 	cell := table.GetCell(index, 0)
 	// Change dot color in front of text as well as location state
 	text := newCellText(palette, connectionNum, locationState, event.EventType)
 	cell.SetText(text)
 }
 // Return connection location and row in UI table
 func (data *uiModel) getConnState(connID int) *connState {
 	if connID < len(data.connections) {
 		return &data.connections[connID]
 	}
 	return nil
 }
 func (data *uiModel) setConnTableCell(event connection.Event, table *tview.Table, palette palette) {
 	index := int(event.Index)
 	connectionNum := index + 1
 	// Update slice to keep track of connection location and state in UI table
 	data.connections[index].location = event.Location
 	// Update text in table cell to show disconnected state
 	text := newCellText(palette, connectionNum, event.Location, event.EventType)
 	cell := tview.NewTableCell(text)
 	table.SetCell(index, 0, cell)
 }
 func newCellText(palette palette, connectionNum int, location string, connectedStatus connection.Status) string {
 	// HA connection indicator formatted as: "• #<CONNECTION_INDEX>: <COLO>",
 	//  where the left middle dot's color depends on the status of the connection
 	const connFmtString = "[%s]\u2022[%s] #%d: %s"
 	var dotColor string
 	switch connectedStatus {
 	case connection.Connected:
 		dotColor = palette.connected
 	case connection.Disconnected:
 		dotColor = palette.disconnected
 	case connection.Reconnecting:
 		dotColor = palette.reconnecting
 	case connection.Unregistering:
 		dotColor = palette.unregistered
 	}
 	return fmt.Sprintf(connFmtString, dotColor, palette.defaultText, connectionNum, location)
 }
--- a/cmd/cloudflared/updater/update.go
+++ b/cmd/cloudflared/updater/update.go
@ -6,22 +6,20 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"time"
 	"github.com/facebookgo/grace/gracenet"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
-	"golang.org/x/term"
+	"golang.org/x/crypto/ssh/terminal"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 )
 const (
 	DefaultCheckUpdateFreq        = time.Hour * 24
-	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/"
+	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/argo-tunnel/reference/service/"
 	noUpdateOnWindowsMessage      = "cloudflared will not automatically update on Windows systems."
 	noUpdateManagedPackageMessage = "cloudflared will not automatically update if installed by a package manager."
 	isManagedInstallFile          = ".installedFromPackageManager"
@ -32,8 +30,7 @@ const (
 )
 var (
-	buildInfo              *cliutil.BuildInfo
+	version string
 	BuiltForPackageManager = ""
 )
 // BinaryUpdated implements ExitCoder interface, the app will exit with status code 11
@ -82,8 +79,8 @@ func (uo *UpdateOutcome) noUpdate() bool {
 	return uo.Error == nil && uo.Updated == false
 }
-func Init(info *cliutil.BuildInfo) {
+func Init(v string) {
-	buildInfo = info
+	version = v
 }
 func CheckForUpdate(options updateOptions) (CheckResult, error) {
@ -97,26 +94,12 @@ func CheckForUpdate(options updateOptions) (CheckResult, error) {
 		url = StagingUpdateURL
 	}
-	if runtime.GOOS == "windows" {
+	s := NewWorkersService(version, url, cfdPath, Options{IsBeta: options.isBeta,
 		cfdPath = encodeWindowsPath(cfdPath)
 	}
 	s := NewWorkersService(buildInfo.CloudflaredVersion, url, cfdPath, Options{IsBeta: options.isBeta,
 		IsForced: options.isForced, RequestedVersion: options.intendedVersion})
 	return s.Check()
 }
 func encodeWindowsPath(path string) string {
 	// We do this because Windows allows spaces in directories such as
 	// Program Files but does not allow these directories to be spaced in batch files.
 	targetPath := strings.Replace(path, "Program Files (x86)", "PROGRA~2", -1)
 	// This is to do the same in 32 bit systems. We do this second so that the first
 	// replace is for x86 dirs.
 	targetPath = strings.Replace(targetPath, "Program Files", "PROGRA~1", -1)
 	return targetPath
 }
 func applyUpdate(options updateOptions, update CheckResult) UpdateOutcome {
 	if update.Version() == "" || options.updateDisabled {
 		return UpdateOutcome{UserMessage: update.UserMessage()}
@ -135,11 +118,7 @@ func Update(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	if wasInstalledFromPackageManager() {
-		packageManagerName := "a package manager"
+		log.Error().Msg("cloudflared was installed by a package manager. Please update using the same method.")
 		if BuiltForPackageManager != "" {
 			packageManagerName = BuiltForPackageManager
 		}
 		log.Error().Msg(fmt.Sprintf("cloudflared was installed by %s. Please update using the same method.", packageManagerName))
 		return nil
 	}
@ -198,9 +177,10 @@ func loggedUpdate(log *zerolog.Logger, options updateOptions) UpdateOutcome {
 // AutoUpdater periodically checks for new version of cloudflared.
 type AutoUpdater struct {
-	configurable *configurable
+	configurable     *configurable
-	listeners    *gracenet.Net
+	listeners        *gracenet.Net
-	log          *zerolog.Logger
+	updateConfigChan chan *configurable
 	log              *zerolog.Logger
 }
 // AutoUpdaterConfigurable is the attributes of AutoUpdater that can be reconfigured during runtime
@ -211,9 +191,10 @@ type configurable struct {
 func NewAutoUpdater(updateDisabled bool, freq time.Duration, listeners *gracenet.Net, log *zerolog.Logger) *AutoUpdater {
 	return &AutoUpdater{
-		configurable: createUpdateConfig(updateDisabled, freq, log),
+		configurable:     createUpdateConfig(updateDisabled, freq, log),
-		listeners:    listeners,
+		listeners:        listeners,
-		log:          log,
+		updateConfigChan: make(chan *configurable),
 		log:              log,
 	}
 }
@ -232,20 +213,12 @@ func createUpdateConfig(updateDisabled bool, freq time.Duration, log *zerolog.Lo
 	}
 }
 // Run will perodically check for cloudflared updates, download them, and then restart the current cloudflared process
 // to use the new version. It delays the first update check by the configured frequency as to not attempt a
 // download immediately and restart after starting (in the case that there is an upgrade available).
 func (a *AutoUpdater) Run(ctx context.Context) error {
 	ticker := time.NewTicker(a.configurable.freq)
 	for {
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case <-ticker.C:
 		}
 		updateOutcome := loggedUpdate(a.log, updateOptions{updateDisabled: !a.configurable.enabled})
 		if updateOutcome.Updated {
-			buildInfo.CloudflaredVersion = updateOutcome.Version
+			Init(updateOutcome.Version)
 			if IsSysV() {
 				// SysV doesn't have a mechanism to keep service alive, we have to restart the process
 				a.log.Info().Msg("Restarting service managed by SysV...")
@ -262,9 +235,25 @@ func (a *AutoUpdater) Run(ctx context.Context) error {
 		} else if updateOutcome.UserMessage != "" {
 			a.log.Warn().Msg(updateOutcome.UserMessage)
 		}
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case newConfigurable := <-a.updateConfigChan:
 			ticker.Stop()
 			a.configurable = newConfigurable
 			ticker = time.NewTicker(a.configurable.freq)
 			// Check if there is new version of cloudflared after receiving new AutoUpdaterConfigurable
 		case <-ticker.C:
 		}
 	}
 }
 // Update is the method to pass new AutoUpdaterConfigurable to a running AutoUpdater. It is safe to be called concurrently
 func (a *AutoUpdater) Update(updateDisabled bool, newFreq time.Duration) {
 	a.updateConfigChan <- createUpdateConfig(updateDisabled, newFreq, a.log)
 }
 func isAutoupdateEnabled(log *zerolog.Logger, updateDisabled bool, updateFreq time.Duration) bool {
 	if !supportAutoUpdate(log) {
 		return false
@ -292,11 +281,11 @@ func supportAutoUpdate(log *zerolog.Logger) bool {
 func wasInstalledFromPackageManager() bool {
 	ok, _ := config.FileExists(filepath.Join(config.DefaultUnixConfigLocation, isManagedInstallFile))
-	return len(BuiltForPackageManager) != 0 || ok
+	return ok
 }
 func isRunningFromTerminal() bool {
-	return term.IsTerminal(int(os.Stdout.Fd()))
+	return terminal.IsTerminal(int(os.Stdout.Fd()))
 }
 func IsSysV() bool {
--- a/cmd/cloudflared/updater/update_test.go
+++ b/cmd/cloudflared/updater/update_test.go
@ -9,14 +9,8 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 func init() {
 	Init(cliutil.GetBuildInfo("TEST", "TEST"))
 }
 func TestDisabledAutoUpdater(t *testing.T) {
 	listeners := &gracenet.Net{}
 	log := zerolog.Nop()
--- a/cmd/cloudflared/updater/workers_service.go
+++ b/cmd/cloudflared/updater/workers_service.go
@ -3,7 +3,6 @@ package updater
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"runtime"
 )
@ -57,9 +56,6 @@ func (s *WorkersService) Check() (CheckResult, error) {
 	}
 	req, err := http.NewRequest(http.MethodGet, s.url, nil)
 	if err != nil {
 		return nil, err
 	}
 	q := req.URL.Query()
 	q.Add(OSKeyName, runtime.GOOS)
 	q.Add(ArchitectureKeyName, runtime.GOARCH)
@ -80,10 +76,6 @@ func (s *WorkersService) Check() (CheckResult, error) {
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != 200 {
 		return nil, fmt.Errorf("unable to check for update: %d", resp.StatusCode)
 	}
 	var v VersionResponse
 	if err := json.NewDecoder(resp.Body).Decode(&v); err != nil {
 		return nil, err
--- a/Show More
+++ b/Show More
`@ -1,4 +1,4 @@`
	`//go:build !windows && !darwin && !linux`	`// +build !windows,!darwin,!linux`

	`package main`	`package main`
`@ -1,4 +1,4 @@`
	`//go:build !windows`	`// +build !windows`

	`package tunnel`	`package tunnel`