Blog

A combination of our newsletter and other posts, where we talk about Tailscale, WireGuard®, 2-factor auth, and other networking-related topics.

Subscribe via email, RSS or follow our Twitter.

Tailscale is officially SOC 2 compliant

David Anderson, Rachel Lubman, Denton Gentry and Maya Kaczorowski on
Photo of David Anderson
Photo of Rachel Lubman
Photo of Denton Gentry
Photo of Maya Kaczorowski

At Tailscale, we are ridiculously passionate about security and privacy—so much so that we built a product that, by design, can’t see your data. We don’t even want to see your data. Behind the scenes, we’ve been completing security audits, working with expert cryptographers to validate our key management, and ensuring we lock down access to our production environment.

We’re excited to announce that we’ve received our SOC 2 Type I report, reaffirming our commitment to security. Let’s dig into how Tailscale applies security controls to protect your information.

Latacora and Tailscale: A conversation on compliance

When Tailscale started working toward SOC 2, we started to ask some fundamental questions about growing and continually improving our security posture. This led us to partner with Latacora, a security firm that specializes in building information security practices for startups.

Tailscale extension for Docker Desktop launches at DockerCon

Ross Zurowski and Aaron Klotz on
Photo of Ross Zurowski
Photo of Aaron Klotz

You can use Tailscale to securely connect to the resources you need for development, including internal tools and databases, no matter where you are or where your development environment lives.

Today, as part of DockerCon, we’re excited to launch our Tailscale Docker Desktop extension. The Tailscale extension for Docker Desktop makes it easy to share exposed container ports from your local machine with other users and devices on your tailnet.

Use Tailscale in Docker Desktop to share a staged copy of your work with a colleague as part of a code review, or share in-progress feedback with teammates. Or access production resources from your development environment, such a database, a package registry, or a licensing server. Because Tailscale works with SSO from your identity provider, Tailscale makes it easier to safely share what you’re working on with anyone in your organization, based on access controls.

Tailscale raises $100M… to fix the Internet

Photo of Avery Pennarun
Avery Pennarun on
We’ve raised $100M in a Series B financing led by CRV and Insight Partners, with participation from our existing major investors: Accel, Heavybit, and Uncork Capital, along with a cast of many prominent angels and smaller investors.

We all have to do a better job managing our infrastructure

Laura Franzese on
Photo of Laura Franzese

This is an interview with Tailscale co-founder and CTO David Crawshaw from CyberNews, reprinted with permission.

The impressive technological progress led to a variety of exciting developments, such as the emergence of the cloud and wireless technology. With our lives being so interconnected with the digital realm, can we still have the same level of privacy as a few decades ago?

Tailscale Authentication for NGINX

Photo of Xe Iaso
Xe Iaso on

Previously on the Tailscale blog, I walked through how authentication works with Tailscale for Grafana and even for Minecraft. Today we’re going to take that basic concept and show how to extend it to services that you have proxied behind NGINX.

Android TV remote control

Photo of Elias Naur
Elias Naur on

In this guest post, Elias Naur walks us through running Tailscale on Android TV.

Running Tailscale on an Android TV device is useful for the situations where you’re trying to connect to a big screen, but can’t use a desktop or mobile device. For example, you might want to access your home media server to watch your favorite TV shows when you’re on the go in a hotel room or Airbnb, and only have an Android TV stick to connect to the provided TV.

The Tailscale Android app now includes support for Android TV, and is available in the Google Play Store for compatible TV devices.

Read on for technical details on how we made this possible.

Sync Okta groups to use in your Tailscale ACLs

Onboarding and offboarding are some of the biggest operational challenges that face organizations today. When an employee switches teams, goes on leave, or exits, an admin typically deactivates them in their identity provider—and unfortunately, in 2022, that’s a recurring management burden. Tailscale already allows you to use your organization’s existing identity provider to manage access to devices and services in your network, including authentication settings such as multi-factor authentication. Then, to manage access to devices on your Tailscale network, you can define access control lists (ACLs) that specify which sources, such as users, groups, hosts, or tags, can access which destinations and on which ports. Access rules can include groups, which allow you to easily grant access to many users for the same resources, such as those on the same team or in the same role. However, instead of defining groups in Tailscale, you might prefer to refer to groups you already have defined in your identity provider.

Tailscale Authentication For Minecraft

Xe Iaso and TJ Horner on
Photo of Xe Iaso
Photo of TJ Horner
You can do many things with computers. Some of them are more productive than others. My recent blog post shows how to authenticate to any service, such as Grafana. Some people took the idea of using Tailscale for authenticating to any service as a neat fact. Others took this as a challenge to come up with even more creative applications of Tailscale for authentication. This is the story of one of the latter cases. This is how you can make your Minecraft server join your tailnet and authenticate to it with Tailscale. One big question you may be asking is, “why on earth would you want to do this?” I would like to counter this with another question: “why not?” As a great man has said, “science isn’t about ‘why?’ it’s about ‘why not?’” We take this philosophy seriously at Tailscale. Putting your Minecraft server into your tailnet with Tailscale for authentication gives you these advantages:

Tailscale logo on NASDAQ tower v1

Photo of Jessica Webb Kennedy
Jessica Webb Kennedy on

Tailscale was included in Wing Venture Capital’s 2022 Enterprise Tech 30 List. While it’s an honor to be included, what we are most excited about is what inclusion in the list signifies.

Tailscale highlighted on the New York NASDAQ

March Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
We took a brief break from your inbox at the end of February. But we are back to making the Internet a bit more human and sharing some of the meaningful contributions from our community that help make that possible.

How To Seamlessly Authenticate to Grafana using Tailscale

Xe Iaso on
Photo of Xe Iaso
In a DevOps environment, you have to deal with a lot of different internal services that have their own authentication systems. This can take a lot of time and work to provision correctly, especially as part of user onboarding and offboarding. Tailscale already knows who you are, so for tools that you only make internally accessible in your tailnet, such as Grafana (a popular observability/statistics graphing service), we can take advantage of that to lighten the load. Instead of relying on each application to have its own authentication, by putting the application available in your tailnet, you can control access based on the existing identities and authentication you have in your identity provider. You can then manage access to that service with the authorization controls you define in Tailscale ACLs. This post will assume the following things: You have administrative (sudo) access to the target machine You have HTTPS enabled for your tailnet (your-tailscale-https-domain.

A database for 2022

Photo of David Crawshaw
David Crawshaw on
Hi, it’s us again, the ones who used to store our database in a single JSON file on disk, and then moved to etcd. Time for another change! We’re going to put everything in a single file on disk again. As you might expect from our previous choice (and as many on the internet already predicted), we ran into some limits with etcd. Database size, write transaction frequency, of particular note: generating indexes. All of these were surmountable limits, but we were quickly running into the biggest limit: me. Until now, I have been allowed to choose just about anything for a database as long as I do all the work. But at a certain point, that doesn’t scale. The way to solve the issues with etcd was bespoke code. Every time someone else had to touch it, I had to explain it. Especially the indexing code. (Sorry.) What we need is something easier to dive into and get back out of quickly, a database similar enough to common development systems that other engineers, working hard to solve other problems, don’t have to get distracted by database internals to solve their problem.

How our free plan stays free

Photo of Avery Pennarun
Avery Pennarun on

TL;DR: Tailscale’s free plan is free because we keep our scaling costs low relative to typical SaaS companies. We care about privacy, so unlike some other freemium models, you and your data are not the product. Rather, increased word-of-mouth from free plans sells the more valuable corporate plans. I know, it sounds too good to be true. Let’s see some details.

Use Caddy to manage Tailscale HTTPS certificates

Photo of Brad Fitzpatrick
Brad Fitzpatrick on

When you connect to a web application on your tailnet over plain HTTP, you might get a security warning in your browser. Although your tailnet’s connections use WireGuard, which provides end-to-end encryption at the network layer, your browser isn’t aware of that encryption—so it looks for a valid TLS certificate for that domain. For internal web apps, this can be confusing to your users, so Tailscale already allows you to provision HTTPS certificates from Let’s Encrypt for your internal web applications, with tailscale cert.

If you’re running a public web server, though, it will need to get the certificate from Tailscale to serve your sites over HTTPS on your tailnet. Caddy is an open source web server—and unlike most web servers, it provisions and manages HTTPS certificates for you. (We love it because it uses HTTPS by default!) Caddy also manages renewing these certificates automatically.

With the beta release of Caddy 2.5, Caddy automatically recognizes and uses certificates for your Tailscale network (*.ts.net), and can use Tailscale’s HTTPS certificate provisioning when spinning up a new service.

Tagged nodes no longer need key renewal, which means it's easier than ever to manage servers

Photo of Maisem Ali
Maisem Ali on

Devices you add to your Tailscale network will periodically expire their node keys and force users to reauthenticate, to ensure the devices are still meant to be on your network.

In Tailscale, ACL tags provide a way to assign an identity to a device, which replaces the prior user authentication on that device. So, node key expiry might be surprising behavior for tagged devices, such as servers, which do not have a user associated with them.

Starting today, tagged devices will have key expiry disabled by default.

Introducing auto approvers for routes and exit nodes

Photo of Maisem Ali
Maisem Ali on

You can use subnet routers in Tailscale to easily connect an existing network you have to your tailnet—for example, a virtual private cloud, or an on-premises legacy network. To set up a subnet router, you advertise routes from the device, and then approve these from the admin console. But what if you’re spinning up multiple subnet routers in high-availability mode? Or multiple exit nodes?

We’re introducing the concepts of autoApprovers for routes and exit nodes. This lets you specify in your ACL file which users can self-approve routes and exit nodes. This means that you can set up a subnet router or an exit node with just one CLI command on the device.

ACL tags are generally available

ACL tags can be applied to a Tailscale device in order to manage access permissions based on its tag. Tailscale already allows you to manage access to devices based on their names, rather than IP addresses; and tags take this a step further, so you can manage access to devices based on their purpose. For example, you might tag a production server prod and a production database prod, and allow all prod devices to communicate with each other in your network, rather than specifying each device individually.

We’re excited to announce ACL tags are now generally available! What does this mean for you? You can include tags as part of an authentication key, you can tag devices from the admin console, and tags can be owners of other tags. And we’ve further locked down ACL tags, so that authentication is required when re-tagging a device. ACL tags are a free feature, available in all pricing tiers.

December Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
December brought fascinating community contributions, including How To Get Tailscale Working With a Fire TV Stick and how to use Tailscale for SSH access to ‘LAN’ locked machines.

Tailscale Rhyme Time crossword

This is our inaugural Tailscale crossword puzzle. The answer key will be published in our December newsletter, and on our blog.

November Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
November brought fascinating community contributions, including creating private Among Us game servers, and Tailscale on a Kobo Sage e-reader.

Thanks for all the code!

This Thanksgiving, Tailscale is thankful for all the people whose code we build upon. One might say we stand upon the shoulders of giants, but looking at our dependencies, a castell might be more accurate. In any case, we couldn’t have done it alone. As a small gesture of gratitude, we’re giving out free Personal Pro accounts to people who’ve contributed to Tailscale’s repos or to code that Tailscale depends on, even if it was written years before Tailscale existed. If you log in to the Tailscale admin panel and you’re on our list, a “Thanks!” heart will appear in the top right corner, letting you upgrade to Personal Pro for free. If you don’t see a heart, though, we might’ve missed you or have you under a different account or account type. If you’re either the creator of or a past or current notable contributor to code we use, please contact us with details and we’ll update our list and make sure the Gmail or GitHub account you want to use with Tailscale is on our list.

Manage access to the admin console with Network Admin, IT Admin, and Auditor roles

We’ve added more user roles to make it easier to manage access to your network. Now, in addition to your tailnet Owner, Admins, and Members, you can give users the roles of Network Admin, IT Admin, and Auditor. This lets users access the admin console without the full permissions of an Admin.

October Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
It has been another productive month for the team here at Tailscale. We have got a slew of amazing community contributions, including a powershell based updater for Windows by Nick Clark and a video tutorial by Sauber-Lab UK on installing Tailscale on Home Assistant.

Tailscale for developers: Connect to your resources from GitHub Codespaces

Maya Kaczorowski and Denton Gentry on
Photo of Maya Kaczorowski
Photo of Denton Gentry

Have you moved to a remote development environment? In reality, you can rarely develop fully in isolation—you need access to internal tools and services to make sure your code works as expected. So although your development environment moved, well, it’s likely nothing else did.

If you already didn’t have a great way to access internal development resources before, then having an ephemeral VM in a cloud provider spinning up and down as you need it for development doesn’t make that any easier. Especially if it’s not just your development environment, but every user in your organization’s.

GitHub Codespaces connecting to package repositories, and on-prem licensing servers, all over Tailscale.

Luckily, Tailscale works as part of a devcontainer with a reusable auth key, so that every GitHub Codespace you spin up can automatically connect to your tailnet. You can use Tailscale to access resources on your tailnet, or to share your development environment with others.

Tailscale for developers: Connect to your resources from Coder

Photo of Maya Kaczorowski
Maya Kaczorowski on

When you’re developing software, you need to access all kinds of resources, including package registries, container image registries, databases, and other network services. You want to work with those services securely and with low latency, wherever they are, even if they’re behind a firewall or don’t have a public IP address. Most importantly, though, you need to be able to access your coworkers: when you need a code review, or you’re pair programming, you want to be able to easily share your development environment with others so they can see what you’re working on. From a development workspace in Coder, you can access resources you need for development, and share what you’re working with your coworkers with Tailscale.

Tailscale for developers: Connect to your resources from Gitpod

Maya Kaczorowski and Denton Gentry on
Photo of Maya Kaczorowski
Photo of Denton Gentry

Remote development is hard. You need access to all the things from wherever you happen to be working from this week. It could be a coffee shop, the train, or even (gasp!) the office. In an ideal world, it shouldn’t take longer to gain access to what you need to get your work done, including cloud and on-prem resources, than it does to complete the tasks at hand.

Developing remotely should be a boon, not a bottleneck, that’s why we’re excited to partner with Gitpod. We aim to make it easy to connect a running workspace in Gitpod to your resources and your colleagues using Tailscale—with Tailscale available by default in Gitpod workspaces, and Gitpod free for a year to Tailscale customers.

Tailscale logo connected to a Gitpod logo

Rolling out the red carpet for remote meetings

Photo of Josh Bleecher Snyder
Josh Bleecher Snyder on

The world doesn’t need more words about remote meetings. So here’s a picture:

Tailscale team members queued on a red carpet in front of a microphone

Tailscale joins the Synology Package Center

Laura Franzese on
Photo of Laura Franzese

Tailscale is officially supported in the Synology package center. Tailscale + Synology makes it effortless to securely access your Synology NAS from anywhere in the world, on any device. You can also use it as a relay back to other devices on your LAN.

You can use Tailscale with Kubernetes, you know

Maisem Ali and Maya Kaczorowski on
Photo of Maisem Ali
Photo of Maya Kaczorowski

Given that this week is the epic all-things-cloud-native reunion in LA, we thought we might crash your little party and mention that Tailscale already works well with containers and Kubernetes. Many of us here at Tailscale used to work on Kubernetes, and keep it close to our hearts even if we’re not at KubeCon this week (and sorry, we love YAML, but use HuJSON now).

Tailscale v1.16

Photo of Laura Franzese
Laura Franzese on

Tailscale 1.16 is out! The latest Linux, Windows, and Android clients are available today (see our update instructions), while macOS and iOS will be available over the next few days, pending App Store reviews.

We break down the work that’s happened in and around the release of Tailscale 1.16.

Enable device authorization and set key expiry in the admin console

Sonia Appasamy and Ross Zurowski on
Photo of Sonia Appasamy
Photo of Ross Zurowski

We’ve made a few settings easier for you to manage in the admin console: device authorization and key expiry.

Authentication Settings in the admin console showing the new options.

Hey linker, can you spare a meg?

Photo of Josh Bleecher Snyder
Josh Bleecher Snyder on

Tailscale on iOS runs as a special kind of app, a Network Extension. This lets us run in the background, so we can secure traffic from all of your applications, without them having to change anything. But with this power comes a memory straightjacket. Normal iOS apps can use 5GB or so of memory before iOS kills them. We get 15MB. With an “M”.

That has been a constant pain point for our users—and especially for us. When we use too much memory, iOS snipes our network extension, and your VPN access goes down. And the knowledge that doing more work caused more crashes caused us to leave important improvements out of the iOS app, like http2 and UPnP support. It was a constant low level drain on our engineering team and our product.

This blog post is about how we tackled the problem, with a bit of philosophizing and a surprise twist at the end.

September Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
A new month, a new set of updates! The team has been busy building new features, including HTTPS certificate support and GitHub Marketplace integration. We also launched free pricing for open source GitHub orgs.

Action required: Upgrade Tailscale to 1.14.4+ prior to updating Windows

Photo of Maya Kaczorowski
Maya Kaczorowski on

Due to recent changes in Windows Update, upgrading the operating system on a Windows 10 or Windows 11 machine running Tailscale may break Tailscale connectivity. If this happens, your machine will no longer be able to connect to your tailnet. To avoid this issue, upgrade Tailscale on your Windows machines to Tailscale 1.14.4 or later before running Windows Update.

Provision TLS certificates for your internal Tailscale services

Connections between Tailscale nodes are already secured with end-to-end encryption—that’s a huge benefit of being built on WireGuard. However, browsers are not aware of that because they rely on verifying the TLS certificate of a domain.

To protect a website with an HTTPS URL, you need a TLS certificate from a public Certificate Authority. Tailscale now makes that easily available for the machines in your Tailscale network, also known as a tailnet, with certificates provisioned from Let’s Encrypt.

Even more for free: Tailscale for open source projects

Tailscale loves open source. We know that it can be tough to develop a project in the open, and collaborate with individuals and organizations around the world.

We’re excited to announce that Tailscale is free for GitHub organizations using Tailscale for open source projects. And given Tailscale is good at, well, making connections, friends and family who coordinate using GitHub organization accounts can also benefit from this free plan.

We get stuck opening the socket

Photo of David Crawshaw
David Crawshaw on
I have a soft spot for the Unix sockets API. Yes, it is clunky to get started and has grown some odd options over the decades. It is usually buried now under higher level programming layers. But at the heart of it is a small and versatile interface that is easy to build on and easy to recreate: read(socket, bytes) write(socket, bytes) What bytes, how many bytes, and in what order are up to you. Under the hood TCP gives you reliable transmission. It is a quick and fun way to write a network program. Streams of bytes can contain discrete request-response messages, be used as a message bus, A/V streams, they can be multiplexed and demultiplexed… there are many ways to use them. As a bonus, most programming languages can represent streams of bytes efficiently, so sockets make for good protocol boundaries. It also has the great benefit of being a stable technology.

Private DNS with MagicDNS

Brad Fitzpatrick and David Crawshaw on
Photo of Brad Fitzpatrick
Photo of David Crawshaw
MagicDNS runs a DNS server on each Tailscale device to quickly and securely serve DNS.

Connect a GitHub Action to your Tailscale network — now in GitHub marketplace!

A few months back we released a GitHub Action to make it easier for you to access Tailscale. This allows a GitHub Action you’re running to first connect to Tailscale using an ephemeral authentication key, then perform other steps. Ephemeral auth keys clean up their state after the runner finishes, meaning you’re not persisting a connection to your network.

We’re excited that our GitHub Action is now available in the marketplace! This means that with the Connect Tailscale action, you can easily pull this into whatever actions you write.

Subscribe for monthly updates

Product updates, blog posts, company news, and more.

Too much email? RSS Twitter