Blog

A combination of our newsletter and other posts, where we talk about Tailscale, WireGuard®, 2-factor auth, and other networking-related topics.

Subscribe via email, RSS or follow our Twitter.

Tailscale May Newsletter

Jackie Pruter on
Photo of Jackie Pruter
May has been a big month for the Tailscale team. We launched session recording for Tailscale SSH in beta, allowing you to record the terminal output whenever someone on your tailnet initiates a Tailscale SSH connection. Along with SSH, we also announced that Custom OIDC is now available for all users, enabling seamless integration and authentication customization.

In case you missed it, we also hosted a live webinar, “Bring Tailscale to Work: Introduction to Tailscale Enterprise,” which is available to watch on-demand here.

Custom OIDC is generally available

We’re pleased to announce that custom OIDC is now generally available for all users. With custom OIDC, users can sign into Tailscale using any identity provider that supports OpenID Connect (OIDC). To use a custom OIDC provider with Tailscale, you must verify domain ownership by setting up a WebFinger endpoint.

Announcing session recording for Tailscale SSH in beta

Sam Linville and Jairo Camacho on
Photo of Sam Linville
Photo of Jairo Camacho
Today, we’re launching session recording for Tailscale SSH in beta, allowing you to record the terminal output whenever someone on your tailnet initiates a Tailscale SSH connection. You can use these recordings to detect threats, investigate security incidents, and remain compliant with your network security policies. To set it up, see the documentation for Tailscale SSH session recording.

Securing customer data in production with Tailscale and Indent

Stevan Arychuk on
Photo of Stevan Arychuk
Everyone wants to get security right, and compliance is usually the forcing function to do so. For us, it was pursuing SOC 2, and for you it might be HIPAA, SOX, or something else. When thinking about securing customer data, it doesn’t necessarily mean locking that data in a safe and throwing away the key, but it can mean restricting who has access, and when. Restricting access to customer data can help prevent data leakage, while limiting how long customer data is reachable can reduce a company’s attack surface area. Learn how Reclaim.ai uses Tailscale to secure customer data and prod environments, and Indent to efficiently update permissions in a secure time-limited way.

Sign in to Tailscale with Apple

David Crawshaw on
Photo of David Crawshaw
Users can now sign in to Tailscale using their Apple ID. On the Mac and iPhone, signing in to Tailscale with your Apple ID takes advantage of TouchID and FaceID. This addition rounds out Tailscale’s support for major identity providers, alongside Google, GitHub, Microsoft, Okta, custom OIDC providers, and more.

Announcing network flow logs and log streaming

Pouyan Aminian and Jairo Camacho on
Photo of Pouyan Aminian
Photo of Jairo Camacho

Tailscale takes your network’s security and reliability seriously. That’s why we built features like configuration audit logs to help you monitor and review changes to your network. Recently, we released network flow logs, in beta, to help you monitor network activity in your tailnet. These logs allow you to detect threats, investigate security incidents, maintain compliance with your network security policies, and troubleshoot network issues. 

Network flow logs record the metadata about your network traffic. Your connections on Tailscale are (and remain) end-to-end encrypted and we never log the content of your network traffic, nor do we have access to do so.

Log into Tailscale with any OIDC-enabled identity provider

Jeff Spencer on
Photo of Jeff Spencer
For large organizations, identity management and access control isn’t just about authenticating users and defining what they have access to, it’s also about delivering a great user experience without compromising security. Tailscale requires users to log in with an identity provider (IdP) — which hasn’t been much of a problem because we currently have native SSO integrations for Google, Microsoft Azure AD, Okta, GitHub, and OneLogin. But what if you’re not using one of these providers?

Announcing Tailscale Enterprise

David Carney on
Photo of David Carney
Since launching four years ago, Tailscale has been adopted by thousands of companies seeking easier and more powerful ways to build networks and interconnect devices. Customers like Instacart, Mercari, Duolingo, and Mercury Bank are using Tailscale in wide-scale deployments, often with more than 1,000 users, as a key part of their network infrastructure.

Pricing v3, plans, packages, and debugging

Avery Pennarun on
Photo of Avery Pennarun

Today we’re announcing the third generation of Tailscale plans and pricing. Most noticeably: The Free plan is expanding from one to three users. Monthly paid plans now include three free users, and bill you only for additional users who actively exchange data over Tailscale (“usage-based billing”) rather than for a fixed number of seats. Annual prepaid plans will have a new structure.

The new plans should save money for essentially everyone, but you can keep your old plan if you want. Existing annual, custom, and enterprise subscriptions are unaffected, and changes are opt-in. Monthly prices per user are staying the same.

Surpassing 10Gb/s over Tailscale

Jordan Whited on
Photo of Jordan Whited

Hi, it’s us again. You might remember us from when we made significant performance-related changes to wireguard-go, the userspace WireGuard® implementation that Tailscale uses. We’re releasing a set of changes that further improves client throughput on Linux. We intend to upstream these changes to WireGuard as we did with the previous set of changes, which have since landed upstream.

With this new set of changes, Tailscale joins the 10Gb/s club on bare metal Linux, and wireguard-go pushes past (for now) the in-kernel WireGuard implementation on that hardware. How did we do it? Through UDP segmentation offload and checksum optimizations. You can experience these improvements in the current unstable Tailscale client release, and also in Tailscale v1.40, available in the coming days. Continue reading to learn more, or jump down to the Results section if you just want numbers.

An update on Tailscale Up — our conference for you! 

Jeremy Tanner and Katie Reese on
Photo of Jeremy Tanner
Photo of Katie Reese
In case you missed it, Tailscale Up is our first community conference that brings Tailscale out of the network layer and into the real world on Wednesday, May 31. Come to meet open source maintainers, hardware hackers, self-hosters, and Tailscalars (sometimes all the same person) to share stories, workflows, and favorite projects. You can find tickets, accommodation details, and more over on the developer community site.

Tailscale March newsletter

Mark Ogilbee on
Photo of Mark Ogilbee

March has flown by! All month long, we’ve been heads-down getting some cool new features over the finish line and into your hands, including custom OIDC and Funnel, both in beta. You can also make new users’ onboarding process less daunting by inviting them to join your tailnet.

And we are particularly thrilled to be hosting our first in-person community conference, Tailscale Up, featuring speakers Amye Scavarda Perrin, Justin Garrison, Emily Trau, Corey Quinn, and more to be announced soon. We are partnering with Dogpatch Studios in SF to host this event, and we’re excited to share more details about content, food, and more in the coming weeks.

Tailscale Funnel now available in beta

Tailscale Funnel, a tool that lets you share a web server on your private tailnet with the public internet, is now available as a beta feature for all users. With Funnel enabled, you can share access to a local development server, test a webhook, or even host a blog.

Funnel provides a DNS name tied to your node that becomes publicly accessible once enabled. When a user on the public internet requests your service, we use a secure Tailscale tunnel to forward those requests along.

Invite and review users joining your tailnet

Claire Wang and Fran Bull on
Photo of Claire Wang
Photo of Fran Bull
When a new user signs up for Tailscale with alice@example.com, they automatically join the same Tailscale network (tailnet) as everyone else @example.com. This makes it easy for small teams to get started with Tailscale. For more complex management of users in your organization, you can invite users and assign them roles before they join. And, you can review and approve when users join your tailnet with user approval.

Introducing Custom OIDC

At Tailscale, we don’t want your users (or us) managing a separate list of usernames and passwords, which is why you must use single sign-on with an identity provider to create and manage your network. Until now, that meant you needed to choose from a handful of trusted identity providers including Google, Okta, GitHub, and Azure AD. Custom OIDC, now in open beta (and available for everyone), changes all that.

New users can set up custom OIDC and sign in at login.tailscale.com/start/oidc, and existing customers can contact our support team to request account migration.

Tailscale February newsletter

Mark Ogilbee on
Photo of Mark Ogilbee
We’re excited about what’s been happening at Tailscale this month! Configuration audit logs are now generally available for all Tailscale users, and we’ve announced a new integration that lets your CodeSandbox Repository access private resources on your tailnet. We’ve also introduced changes to make it easier to manage your billing with the Billing Admin role, and we’ve launched improvements for supporting OAuth in the Tailscale API. And last — but absolutely not least — we’re announcing our first in-person Tailscale community conference, Tailscale Up.

We ❤️️ integrations

Maya Kaczorowski on
Photo of Maya Kaczorowski
Tailscale is, at its heart, network infrastructure. The value of network infrastructure is what it enables us to connect with. Our Integrations page gives you a long list of where you can use Tailscale, so that you can easily see if it works with your infrastructure — but, spoiler alert — Tailscale works almost everywhere.

Manage pricing and billing with Billing Admin

Claire Wang and Maya Kaczorowski on
Photo of Claire Wang
Photo of Maya Kaczorowski
We’ve added a new additive user role, Billing Admin, so that you can designate multiple individuals to manage pricing plans and billing information for your tailnet, without also allowing them to edit other tailnet settings.

Announcing "Tailscale Up" community conference

Katie Reese and Jeremy Tanner on
Photo of Katie Reese
Photo of Jeremy Tanner

We’re bringing Tailscale out of the network layer and into the real world with Tailscale Up, the first-ever in-person Tailscale community conference, on May 31 in San Francisco. Meet Open Source maintainers, hardware hackers, self-hosters, and Tailscalars (sometimes all the same person) to share stories and workflows, and hear about the latest projects and integrations we’ve been working on.

To stay updated on the latest developments and announcements about Tailscale Up, visit tailscale.dev/up and follow our Twitter and our fediverse account. In the coming weeks, we’ll share updates, including the event’s venue, speaker announcements, and the full schedule. You won’t want to miss out on this unique opportunity to meet and learn from others in the Tailscale community as well as Tailscale team members.

Reducing Tailscale’s binary size on macOS

Mihai Parparita on
Photo of Mihai Parparita
Tailscale v1.36 for macOS features a significantly reduced binary size (going from 92MB to 56MB). The effort started out with a chance observation about a surprisingly large executable, and ended up involving some creative approaches using dlopen.

Tailscale for DevOps: Give CodeSandbox access to private resources on your tailnet

Jeff Spencer on
Photo of Jeff Spencer
Developing software in an IDE like CodeSandbox requires access to many on-prem or cloud resources, from package and container image registries to databases. When you’re using CodeSandbox for remote development, you’ll want to access those resources securely and with the lowest possible latency — even if they’re behind a firewall or don’t have public IP addresses. Perhaps most importantly, you’ll want the ability to easily share access with coworkers so they can do things like review code or pair programming. From a CodeSandbox Repository, you can grant applications access to private resources on your tailnet, and share what you’re working on with peers, using Tailscale.

Configuration audit logs are generally available

Ramya Nagarajan and Jeff Spencer on
Photo of Ramya Nagarajan
Photo of Jeff Spencer
We’re pleased to announce that configuration audit logs are now generally available for all Tailscale users. Configuration audit logs record changes made to your Tailscale network’s, or tailnet’s, configuration. If you’re an admin of a tailnet, you can access audit logs in the Logs page of the admin console. In the admin console, you’ll see a table of changes made to your network, with the most recent events shown first, and you can filter by user, time, and action taken. Configuration audit logs are also available via API.

January Tailscale newsletter

Mark Ogilbee on
Photo of Mark Ogilbee
As our plans for 2023 get well and truly underway, we want to dedicate this first newsletter of the year to you, our community. We love doing what we do, in no small part because every month we discover the new and interesting ways you find to work and play with Tailscale. Last year, we featured more than 100 community contributions in our newsletters! Your enthusiasm and resourcefulness inspire us — and we hope that by highlighting these contributions each month, we in turn help inspire you. We can’t wait to see the new and exciting ways you use Tailscale in 2023!

Supporting OAuth in the Tailscale API

Will Norris and Jordan Whited on
Photo of Will Norris
Photo of Jordan Whited

Tailscale’s API gives you programmatic access to many of your Tailscale resources, including devices on your tailnet, access controls in your tailnet policy file, and DNS settings. Today we’re launching two improvements to how you authenticate to the Tailscale API: the ability to create scoped access tokens limited to specific operations, and the ability to continually generate or refresh access tokens using OAuth clients.

Tailscale actions for iOS and macOS Shortcuts

Mihai Parparita on
Photo of Mihai Parparita
With Tailscale v1.36 actions can be directly triggered and automated with the Shortcuts app on iOS and macOS. We’ve added support for managing the connection state, using exit nodes, and switching between profiles. You can combine the Tailscale actions with other automations to customize tasks, such as automatically connecting to your tailnet if your device is not on your home Wi-Fi.

Traefik Proxy now offers Tailscale as certificate resolver

Photo of Parker Higgins
Parker Higgins on

Traefik, the popular load balancing and reverse proxy tool, has added support for Tailscale as a certificate resolver in Traefik Proxy 3.0 beta, the latest release of its forward proxy offering. Today, one of the engineers behind this integration has published a fun deep dive into how it works and how they’re using Tailscale to help with testing at Traefik.

Tailscale logo connecting to Traefik logo

This new feature means you can now access HTTPS-enabled services on your tailnet behind Traefik Proxy, without the headache of separately handling certificates or exposing an endpoint to resolve TLS challenges from Let’s Encrypt. Instead, Tailscale can manage your certificate life cycle and automatically renew your Let’s Encrypt certificate, and will do so under this setup as long as Traefik is running.

Looking back at 2022: A year of growth, funding and lots of new features

Mark Ogilbee on
Photo of Mark Ogilbee

As we took a few days away from our keyboards over the holidays, we here at Tailscale also spent time reflecting on the year we had in 2022, which seemed to come and go before we knew it. It was quite a journey — and we wanted to share with you some highlights from what was a decidedly lively and groundbreaking year for us.

December Tailscale newsletter

Mark Ogilbee on
Photo of Mark Ogilbee
Our December newsletter is out a bit early as we here at Tailscale take the final days of 2022 to rest up, be festive, and reflect on the year gone by — and what a momentous year it’s been, with lots of big product updates and company news. Here are just a few highlights: We launched Tailscale SSH, which lets you SSH into devices on your tailnet from anywhere, even mobile, without hassling with additional software, firewall rules, or key management. You can even SSH into devices on your tailnet from any web browser via SSH Console. We added support for on-demand access integrations with partners ConductorOne, Indent, Opal, and Sym, each of whom vastly simplify the process of provisioning new users with temporary access to sensitive resources. We received our SOC 2 (both Type I and Type II) compliance reports, reaffirming the ridiculously passionate commitment to security that’s baked into our DNA. We announced a $100 million Series B financing round led by CRV and Insight Partners, with participation from our existing major investors: Accel, Heavybit, and Uncork Capital, along with a cast of many prominent angels and smaller investors.

Tailscale for DevOps: Connect to any subnet in your tailnet with Connecti (by Pulumi)

Photo of Jeff Spencer
Jeff Spencer on

When setting up cloud infrastructure for your team, it often makes sense to provision sensitive services in private subnets. However, this usually means that those services are not easily accessible from your personal devices or CI/CD infrastructure. Tailscale already makes it possible to access those services by adding a private subnet router to your tailnet. But what happens if you need to quickly access something in a private subnet and then immediately terminate that connection?

Most organizations already have existing infrastructure, so the need to access or debug something in a private subnet is a relatively frequent problem. That’s why Pulumi has worked hard to create a way to quickly provision ephemeral VPN connections that you can spin up and tear down quickly. Connecti is a command line tool written in the Go programming language using Pulumi’s automation API, that allows you to declaratively provision Tailscale subnet routers in seconds without writing a single line of infrastructure code.

Pulumi is an open source infrastructure as code platform for creating, deploying, and managing cloud infrastructure. Pulumi works with both traditional infrastructures like VMs, networks, and databases, in addition to modern architectures such as containers, Kubernetes clusters, and serverless functions.

Continue reading to learn more about Tailscale and Connecti from Pulumi software engineer and Connecti creator Lee Briggs.

Tailscale logo connecting to the Pulumi logo

User and group provisioning for Okta is generally available

Ramya Nagarajan and Jeff Spencer on
Photo of Ramya Nagarajan
Photo of Jeff Spencer

We’re pleased to announce that user & group provisioning for Okta is now generally available. You can sync group membership and deactivated users from Okta, and refer to a synced group as part of an access rule in your tailnet policy file.

Postgres Crunchy Bridge with Tailscale

Maya Kaczorowski on
Photo of Maya Kaczorowski

Today we are happy to announce that Crunchy Bridge has integrated with Tailscale to provide easy access to your database from any of your devices, wherever they are running. Crunchy Bridge is a managed Postgres product that runs your database for you on your choice of cloud.

Tailscale logo connecting to Crunchy Data logo

Introducing tailnet lock: use Tailscale without trusting our infrastructure!

Tom D'Netto and Adrian Dewhurst on
Photo of Tom D'Netto
Photo of Adrian Dewhurst

Users sometimes ask us, “How can I trust Tailscale?” From the beginning, we’ve tried to make it so you don’t have to, by architecting our infrastructure with security and privacy in mind. When you use Tailscale, your data is end-to-end encrypted. Tailscale doesn’t have the private key, so we can’t see your traffic. While Tailscale can’t observe the data transiting your tailnet, we are responsible for managing the control plane, where our coordination server distributes public keys and settings for your tailnet.

Which brings us to one glaring issue that has remained with our architecture: You have still needed to trust our coordination server. What if we were malicious, and stealthily inserted new nodes into your network? Tailscale could hypothetically use a secretly-added node to send or receive traffic to your existing nodes — meaning it wouldn’t matter that the traffic is encrypted because the peer itself would be malicious.

You should decide who to trust when it comes to your tailnet’s coordination server and how nodes are added to your tailnet. We don’t want you to have to trust us to get it right. So today, we’re taking the first steps with tailnet lock, a security feature where your nodes verify the public keys distributed by the coordination server before trusting them for network connectivity.

Userspace isn't slow, some kernel interfaces are!

Jordan Whited and James Tucker on
Photo of Jordan Whited
Photo of James Tucker

We made significant improvements to the throughput of wireguard-go, which is the userspace WireGuard® implementation that Tailscale uses. What this means for you: improved performance of the Tailscale client on Linux. We intend to upstream these changes to WireGuard as well.

You can experience these improvements in the current unstable Tailscale client release, and also in Tailscale v1.36, available in early 2023. Read on to learn how we did it, or jump down to the Results section if you just want numbers.

Quickly switch between Tailscale accounts

Fast user switching has come to Tailscale! Starting in v1.34, out today, you’ll be able to quickly switch between Tailscale accounts on the same device, without re-authenticating. (We heard you.)

a gif showing the process of switching user accounts in the macOS client

To switch between tailnets on macOS, click on the Tailscale icon in the menu bar and select the other account.

Private go links for your tailnet

Photo of Will Norris
Will Norris on

Today, we’re sharing golink, an open source private URL shortener service for tailnets. Using golink, you can create and share simple go/name links for commonly accessed websites, so that anyone in your network can access them no matter the device they’re on — without requiring browser extensions or fiddling with DNS settings. And because golink integrates with Tailscale, links are private to users in your tailnet without any separate user management, logins, or security policies.

A screenshot of the golink application homepage. A form allows a new link to be created and popular links are listed: go/meet, go/slack, go/search, go/email

November Tailscale newsletter

Mark Ogilbee on
Photo of Mark Ogilbee
It’s been a dramatic month across the tech industry, but we have some good news: Tailscale is hiring! We’re looking for driven individuals who think differently, enjoy collaborating with highly technical remote teams, and are comfortable working asynchronously. See our open roles below, and learn more about our company vision. We launched Tailscale Funnel, which makes it simple (and still secure) to route traffic from the internet to a node in your tailnet. We’ve developed a guide for using tsnet to make your internal services easier to run, access, and secure; and we put together an inside look at how we built our new webhooks feature. Plus: Tailscale has joined the Fediverse! You can now follow us on Hachyderm

Tailscale Runs Anywhere I Need

Photo of Katie Reese
Katie Reese on

Last week, Tailscale hosted a three-day co-work week to prove Tailscale Runs Anywhere I Need (TRAIN) by traversing the Amtrak Coast Starlight line from Emeryville, CA to Seattle, WA. The week included a shared work day in Berkeley, an overnight on the train, a work day from the train’s observatory, and a work day from a lovely Airbnb in the Queen Anne neighborhood of Seattle.

Action required: Upgrade Windows clients to v1.32.3

Photo of Maya Kaczorowski
Maya Kaczorowski on

Tailscale has recently been notified of security vulnerabilities in the Tailscale Windows client which allow a malicious website visited by a device running Tailscale to change the Tailscale daemon configuration and access information in the Tailscale local and peer APIs.

To patch these vulnerabilities, upgrade Tailscale on your Windows machines to Tailscale v1.32.3 or later, or v1.33.257 or later (unstable).

Introducing Tailscale Funnel

Tailscale lets you put all your devices on their own private tailnet so they can reach each other, ACLs permitting. Usually that’s nice and comforting, knowing that all your devices can then be isolated from the internet, without any ports needing to be open to the world.

Sometimes, though, you need something from the big, scary, non-Tailscale internet to be able to reach your device.

Tailscale on the Fediverse

Photo of Xe Iaso
Xe Iaso on
Hey everyone! The last few weeks have been something else eh? We want to make it easier for you to keep in touch with us. As such, we have created a Fediverse account on Hachyderm. Feel free to give us a follow if you want to keep up to date! We’re honored to be one of the first corporate accounts on Hachyderm and in the Fediverse in general. This is a great responsibility and we are taking this responsibility seriously. We want to be an example of what a positive and mutually beneficial corporate presence on the Fediverse should look like. We want to use this opportunity to help strengthen the entire Fediverse community as well as help people use Tailscale in new and exciting ways. I’ve personally used the Fediverse since 2017, back when Mastodon was propagating things using OStatus. I’ve run bots on the Fediverse for years. I don’t want this to be an example of another corporation encroaching on a community space and covering it with advertising.

Subscribe for monthly updates

Product updates, blog posts, company news, and more.

Too much email? RSS Twitter