Blog

Last week, Tailscale hosted a three-day co-work week to prove Tailscale Runs Anywhere I Need (TRAIN) by traversing the Amtrak Coast Starlight line from Emeryville, CA to Seattle, WA. The week included a shared work day in Berkeley, an overnight on the train, a work day from the train’s observatory, and a work day from a lovely Airbnb in the Queen Anne neighborhood of Seattle.

Tailscale has recently been notified of security vulnerabilities in the Tailscale Windows client which allow a malicious website visited by a device running Tailscale to change the Tailscale daemon configuration and access information in the Tailscale local and peer APIs.

To patch these vulnerabilities, upgrade Tailscale on your Windows machines to Tailscale v1.32.3 or later, or v1.33.257 or later (unstable).

Tailscale lets you put all your devices on their own private tailnet so they can reach each other, ACLs permitting. Usually that’s nice and comforting, knowing that all your devices can then be isolated from the internet, without any ports needing to be open to the world.

Sometimes, though, you need something from the big, scary, non-Tailscale internet to be able to reach your device.

Hey everyone! The last few weeks have been something else eh? We want to make it easier for you to keep in touch with us. As such, we have created a Fediverse account on Hachyderm. Feel free to give us a follow if you want to keep up to date! We’re honored to be one of the first corporate accounts on Hachyderm and in the Fediverse in general. This is a great responsibility and we are taking this responsibility seriously. We want to be an example of what a positive and mutually beneficial corporate presence on the Fediverse should look like. We want to use this opportunity to help strengthen the entire Fediverse community as well as help people use Tailscale in new and exciting ways. I’ve personally used the Fediverse since 2017, back when Mastodon was propagating things using OStatus. I’ve run bots on the Fediverse for years. I don’t want this to be an example of another corporation encroaching on a community space and covering it with advertising.

Tailscale is amazing. But you already knew that, right? There’s nothing more satisfying than being able to set up a secure network in seconds, almost like magic — except maybe realizing it’s Friday when you thought it was Thursday, but I digress.

Being a relatively new product, Tailscale is still adding features to make it even easier to use. One of the most requested features from both our enterprise customers as well as individual users are notifications for events happening in your tailnet, such as when new nodes are added or need to be authorized. Before Tailscale introduced the new feature I’m about to mention (shh… I know you saw it in the title, but just pretend you didn’t for a second), there wasn’t really a way for the admin of a tailnet to know if something had changed without constantly stalking the admin console for new warning badges on machines, or scrolling through the configuration audit logs for updates.

During my internship at Tailscale this past summer, I set out to fill this notification gap. (“I” meaning me, Laura the intern, not to be confused with the lovely individual of the same name who has been writing the Tailscale newsletter every month.) As a result of my (and many other peoples’) summer-long efforts, Tailscale now allows you to configure webhooks to notify you of specific kinds of events in your tailnet.

Naming products is hard. One of Tailscale’s key features, MagicDNS, has long been a source of armchair grammar controversy. To wit: Some people think we should call it Magic DNS because Apple calls their flagship keyboard and mouse the Magic Keyboard and the Magic Mouse. But have you noticed that Apple also calls their laptops MacBooks and their wireless headphones AirPods? The reason they do this is because of an obscure (and nerdy) rule of the English language that says if removing the adjective from a noun phrase would change the meaning of the noun, you can remove the space and make it a compound word. A Magic Keyboard without the magic is still a keyboard. A MacBook without the Mac is not a book. MagicDNS is one word because without the magic, it wouldn’t just be DNS; it wouldn’t be anything. Tailscale already has DNS and split DNS (two words!

Today, we’re launching a web-based SSH client: Tailscale SSH Console.

From the Tailscale admin console, admins will now see a little “SSH…” button to connect to devices running Tailscale SSH. Click this, and you’ll pop open an SSH client, right in your browser. Tailscale SSH Console is now available in beta.

If you’re managing and using Tailscale along with several other users, it’s hard to keep track of what changes get made, even with audit logs. For example, another admin might make an update, or an event that you need to react to could occur — such as a node needing authorization.

Tailscale automatically assigns IP addresses for every unique device in your network, giving each device an IP address no matter where it is located. We further improved on this with MagicDNS, which automatically registers a human-readable, easy-to-remember DNS name for each device —  so you don’t need to use an IP address to access your devices. This means you can access the device monitoring, even if it moves from on-prem to the cloud, without ever needing to know its IP address in the first place.

MagicDNS is such a useful feature that it’s been frustrating for us that not all Tailscale users know about it. We’re surprised that we often get suggestions like, “It would be great if Tailscale could just run a small DNS server for me” — when it already does! So we’re particularly excited to share that as of today, MagicDNS is generally available, and it’s enabled by default for new tailnets! (Already a Tailscale user, but not using MagicDNS yet? Click “Enable MagicDNS” in the DNS page of the admin console to get going.)

If you’re already using MagicDNS, your tailnet has been automatically assigned a new tailnet name of the form tail<hex>.ts.net, in addition to the existing name <domain>.beta.tailscale.net. If you’re sharing nodes with the beta name, we ask you to migrate to the new tailnet name. The existing beta name will be supported until at least November 1, 2023.

Understanding what changes were made to your Tailscale network, and who made them, is critical for maintaining the security and integrity of your network. That’s why we’re making it even easier for admins — and your auditors! — to review changes made to your tailnet’s configuration, such as adding devices, updating ACLs, or changing DNS settings.

Configuration audit logs, now in beta, capture changes made to your network in the coordination server. If you’re an admin of a tailnet, you can access audit logs for your tailnet in the logs tab of the admin console. From the console, you’ll see a table of changes made to your network, with the most recent events first, and you can filter by user, time, and action taken. Configuration audit logs are also available via API.

Ever wanted to run your own DNS resolver but you don’t actually want to run your own DNS resolver because running DNS is fraught with pain?

Tailscale now supports NextDNS!

… But if you must, we made something that can help you do it right.

The folks at bit.io just published an excellent review of PostgreSQL security, with a startling conclusion: the vast majority of PostgreSQL connections that are happening over the public internet are insecure, due to a combination of server misconfigurations and most clients unfortunately defaulting to unsafe settings.

When I was in college almost a decade ago, I lived on the computer science floor of my dorm. It was quite possibly one of the most interesting places I’ve ever lived. It was full of nerds, and we had file shares and LAN parties every weekend. While I was there, I got introduced to a tool called Hamachi that we used in order to keep playing games like Minecraft, StarCraft (Brood War), and Age of Mythology together over winter and summer breaks. We shared our photos, code creations, and more; all over that shared network. This allowed us to be together even on breaks, when we were on opposite sides of the state.

Open source is in Tailscale’s bones. After our seed round, when we were only five people making our initial open source plans, we each already had decades of experience writing and using community software. Personally, I’m a Unix programmer only because of a Slackware CD I picked up in Hong Kong in 1995. I owe my livelihood and a big part of my identity to open source. So it was natural to me that we would open source anything where the trouble involved in doing so was worth the value of releasing the code.

Beyond our instincts to build open source software, we also couldn’t have built Tailscale without it. Tailscale is heavily dependent on open source: WireGuard®, a tunneling protocol for establishing encrypted connections between peers, is at the core of Tailscale. And, like every other company these days, the vast majority of the code we use wasn’t written by us — we have dependencies on code written by thousands of other developers, and we want to give back.

Tailscale clients make direct connections to each other, almost all the time. To do that, they need reliable communication infrastructure to determine how to connect (using DISCO packets), and a communication path of last resort to use when the local network on one or both ends is hostile enough that direct connections are not feasible. Tailscale runs a global network of DERP relay servers to cover both of these needs.

This week, we added nine additional DERP locations to complement our existing relay network. By operating in more locations globally, your devices are more likely to be closer to a server. That means you can more quickly and easily establish network connections. And, if your connection goes through a closer relay, it’ll likely be faster.

Not all engineering work at Tailscale requires changing Go internals or deep insights into how to leverage the birthday paradox for NAT traversal. There are countless small bugs and edge cases that we investigate in our quest to meet an unreasonably high percentile of our users’ expectations. This is the story of one such investigation.

Good news everyone: Tailscale is SOC 2 compliant! Wait… weren’t we already compliant? Yes, but now we’re SOC 2 Type II compliant… which is kind of a big deal.

As part of our ongoing commitment to security and privacy at Tailscale, we’ve completed a SOC 2 Type II audit. Our Type I audit validated that we had policies and procedures in place to keep your information safe. Now, our Type II audit validates that our security controls were effective over the period of time evaluated and that we’re actually implementing the policies and procedures we committed to.

Tailscale lets you manage access permissions within a tailnet, including which users are allowed to connect to which machines, using powerful Access Control Lists (ACLs). ACLs are controlled by a HuJSON tailnet policy file that you can edit directly in the admin console. This makes managing permissions simple, but unlike other controls defined in code, there is no way to require approval or review before accepting changes made to ACLs directly in Tailscale’s admin console. In the industry, there’s a pattern called GitOps that suggests you should maintain anything that defines your infrastructure, like this policy file, in a Git repository and use CI to validate, test, and automatically deploy changes.

In this post, I’m going to cover how you can set up a GitOps workflow for your tailnet policy file with GitHub Actions so you can maintain ACLs in a central repository, apply the same controls for changes to your configuration file as you do for code (“config as code”)— such as requiring review, and how to automatically apply these configuration changes to your network.

To make this easier, we’ve released a Sync Tailscale ACLs GitHub Action you can use for automatically updating your tailnet policy file from GitHub. If you’re using this action, or another GitOps workflow you’ve built yourself, you can surface it in the Access Controls page of the admin console to prevent colleagues from accidentally making unapproved changes.

When deploying infrastructure, you might need to frequently redeploy an environment for testing, or spin up servers in response to an increase in demand. A common tool to automate the provisioning of your infrastructure is Terraform — with Terraform, you can define infrastructure as code, then script deployments of that infrastructure. If you’re deploying servers that you want to access over Tailscale, you can already simplify setup by using a tagged auth key to automatically connect devices to your tailnet with the right permissions. But what if you’re trying to manage your deployment of Tailscale?

You can also use Terraform to manage your use of Tailscale to define and deploy your ACLs, DNS settings, auth keys, and more. Tailscale is adopting the Tailscale Terraform provider and taking responsibility for ongoing support and development. The community, notably David Bond, originally created the Tailscale Terraform provider, and we are very thankful for the work they’ve done to provide this valuable tool to others.

If you’re using Tailscale with short-lived devices such as containers or frequently redeployed infrastructure, you are probably already using ephemeral nodes. Ephemeral nodes are meant for automated, frequently redeployed workloads because they’re automatically removed from your network once they are no longer active. However, this automatic process could potentially take an hour or longer while the coordination server waits to see if the ephemeral node will come back online. This clutters your network with containers or functions that are no longer running.

When you’re working in an environment with strict compliance needs, you want to make sure you’re following the principle of least privilege and granting employees access only to the resources they need to do their job. Tailscale ACLs already make that possible by letting you define what someone can access — and restricting their access to everything else — with “default deny” rules.

In many organizations, access to resources needs to be granted temporarily, such as when someone needs additional information in order to debug a customer issue. This is why we’re partnering with Opal: to provide short-lived, granular, on-demand access to resources in your tailnet. With Opal, your team can generate self-serve access requests and get automatic approvals for faster access to the resources they need, rather than waiting for their help desk ticket to be manually reviewed and provisioned.

Managing privileged access can help improve security by reducing unnecessary access to sensitive resources and customer data. With Tailscale ACLs, you can already manage access to company resources and restrict access with “default deny” rules.

But what if there’s an emergency, and the person on call needs to access your production environment? Solving this is why we’re excited to partner with Sym! Now, users can easily request temporary access to sensitive resources in Tailscale via Slack. These requests can then be approved by team members directly in Slack, or even be automatically approved for certain people — such as on-call engineers.

Modern governance and access control policies for sensitive resources like production nodes, databases, and SSH access to servers on Tailscale can sometimes lead to extra work when requesting and approving on-demand access. Fortunately, Tailscale ACLs already let you manage access to company resources and restrict access with “default deny” rules.

But what if you want to automate Tailscale access requests and approvals so that on-call employees and engineers can get access to sensitive resources where and when they need it? That’s why we’re really excited to partner with ConductorOne, which pulls your Tailscale identities and ACLs into a centralized, automated identity security control center that gives you greater control over who has access to what and — crucially — when.

As your teams grow and become more distributed, it makes sense to limit an employee’s access based on their job function rather than to give everyone persistent access to your production environment. This not only lets you manage sensitive resources such as customer data more effectively, but it also reduces the risk of accidentally impacting production — for example, by running a query meant for your staging environment. This doesn’t mean you want to prevent the legitimate use of these resources, such as when someone’s on call, but simply to ensure they only have access when they’re on call.

Following the principle of least privilege, teams should limit access to sensitive production resources to only those who need it, and only when they need it. Tailscale ACLs already let you manage access to company resources and restrict access by default with “default deny” rules. But what if someone needs access to a server they don’t normally use? That’s why we’re excited to partner with Indent — so members of your team can easily request, and reviewers can easily approve, time-bounded access to these resources without ever leaving Slack.

Tailscale lets you connect your computers to each other so that you can use them together securely. As technology continues to advance, we’ll be carrying around more and more devices that, for convenience, we’ll call “computers.” Some of them are more limited than others, but today I want to talk about one device in particular: the Steam Deck by Valve.

The Steam Deck is a handheld Linux computer that is used for playing desktop-grade PC games. Its portability allows you to take your Steam library on the go with you anywhere, just like a Nintendo Switch. The Deck is also notable because it runs a variant of Arch Linux called SteamOS. Valve’s philosophy is that the Steam Deck is just a PC. It is open and hackable for anyone to modify to fit their needs. Valve even gives you the drivers to install Windows on the Deck, in case you want to.

Today we’re delighted to introduce Tailscale SSH, to more easily manage SSH connections in your tailnet. Tailscale SSH allows you to establish SSH connections between devices in your Tailscale network, as authorized by your access controls, without managing SSH keys, and authenticates your SSH connection using WireGuard®.

Many organizations already use Tailscale to protect their SSH sessions — for example, to allow users to connect from their work laptop to their work desktop. Since Tailscale allows you to connect your devices in a virtual private network, and use access controls to restrict communications between them, we thought, “Why do we need SSH keys? Let’s just make SSH use your Tailscale identity.” And so we did.

For sensitive high-risk connections, such as those connecting as root, you can also enable check mode. Check mode requires a user to re-authenticate with your SSO (or to have recently re-authenticated) before being able to establish a Tailscale SSH connection.

Read on to learn more about what Tailscale SSH is, how it compares to other SSH solutions, and how to start using it in your tailnet.

Tailscale runs on many platforms, including macOS, and has a macOS version available in the App Store. If you’re using macOS at work, however, your team might not be able to roll out Tailscale to your entire organization if not everyone has an Apple ID. In this case, it’s common to use a mobile device management (MDM) solution that allows you to distribute applications that are not available in the App Store.

Starting with Tailscale v1.26, you can install Tailscale as a standalone macOS application. The standalone macOS application has all the same functionality as the version distributed in the App Store.

At Tailscale, we are ridiculously passionate about security and privacy—so much so that we built a product that, by design, can’t see your data. We don’t even want to see your data. Behind the scenes, we’ve been completing security audits, working with expert cryptographers to validate our key management, and ensuring we lock down access to our production environment.

We’re excited to announce that we’ve received our SOC 2 Type I report, reaffirming our commitment to security. Let’s dig into how Tailscale applies security controls to protect your information.

When Tailscale started working toward SOC 2, we started to ask some fundamental questions about growing and continually improving our security posture. This led us to partner with Latacora, a security firm that specializes in building information security practices for startups.

You can use Tailscale to securely connect to the resources you need for development, including internal tools and databases, no matter where you are or where your development environment lives.

Today, as part of DockerCon, we’re excited to launch our Tailscale Docker Desktop extension. The Tailscale extension for Docker Desktop makes it easy to share exposed container ports from your local machine with other users and devices on your tailnet.

Use Tailscale in Docker Desktop to share a staged copy of your work with a colleague as part of a code review, or share in-progress feedback with teammates. Or access production resources from your development environment, such a database, a package registry, or a licensing server. Because Tailscale works with SSO from your identity provider, Tailscale makes it easier to safely share what you’re working on with anyone in your organization, based on access controls.

This is an interview with Tailscale co-founder and CTO David Crawshaw from CyberNews, reprinted with permission.

The impressive technological progress led to a variety of exciting developments, such as the emergence of the cloud and wireless technology. With our lives being so interconnected with the digital realm, can we still have the same level of privacy as a few decades ago?