Aperture beta is now available. Start building with AI safely in minutes.READ MORE ->
Blog|productApril 24, 2026

This month at Tailscale for April 2026

Wide selection of shapes (circles, ovals, squares, quarter-circles) in dark and light green shades, against a deeply green-black background.

We continuously ship updates to make your network more reliable, manageable, and secure. Each month, we highlight some of the most impactful changes across clients, admin tools, integrations, and infrastructure—so you can stay on top of what’s new and what’s better.

Here's a rundown of what's changed in Tailscale's software since our last blog update in late March 2026. For instructions on how to update to the latest version, visit our update guide.

Aperture updates

  • New: Create custom guardrails with pre-LLM-call hooks to strip or block PII and restrict specific agent tools before requests reach the LLM.
  • New: Configure log retention time down to zero for request/response capture logs, with S3-compatible export supported.
  • New: Audit logs for configuration changes and when admins view logs owned by other users are available using a new API endpoint and UI.
  • Changed: Set customizable quotas across providers, models, users, agents, or individual agent runs.

API-only tailnets and Oauth clients

Client updates

v1.96.5

These notable changes are inclusive of all updates from versions 1.96.4 to 196.5 For detailed notes on each release, see our changelog.

Linux

  • Fixed: An issue on forks of Linux caused by fallback-on-ENOSYS logic is resolved. (Also on Synology)
  • Fixed: An issue that could cause a segmentation violation during startup on MIPS devices is resolved.

iOS/tvOS

  • Fixed: An issue that could cause the network extension to encounter an out of memory condition on large tailnets is resolved.

Android

  • Fixed: An issue causing a deadlock when disconnecting from a tailnet is resolved.

Container, Kubernetes, and tsrecorder updates

Container image v1.96.5

  • New: Services are now automatically advertised on startup. This can be disabled by setting the new environment variable, TS_EXPERIMENTAL_SERVICE_AUTO_ADVERTISEMENT, to false.
  • Fixed: The Tailscale container no longer tries to create a secret using TS_KUBE_SECRET when the variable is empty.

Kubernetes operator v1.96.5

  • New: Ingress and Egress ProxyGroup pods are able to request a new authkey when required.
  • New: Multiple tailnet access can be enabled with the use of the new Tailnet custom resource.
  • New: ProxyGroup creation controls can be managed by namespace with the new ProxyGroupPolicy custom resource.
  • Changed: The environment variable TS_EXPERIMENTAL_KUBE_API_EVENTS is removed. This can instead be set via Tailscale ACLs.
  • Fixed: The environment variable TS_LOCAL_ADDR_PORT no longer fails when it is populated with an IPv6 address without brackets.

tsrecorder v1.96.5

  • Changed: The Recorder CRD defaults to deploying a single replica StatefulSet, using the filesystem storage backend`.

Those are the highlights for recent weeks. If you have questions or feedback, we're here to help. Thank you for using Tailscale.

Share

Author

Headshot of Kevin PurdyKevin Purdy
Loading...

Try Tailscale for free

Get started
Schedule a demo
Contact sales
cta phone
mercury
instacrt
Retool
duolingo
Hugging Face