99% of companies want to ditch their VPN. See why in our 2025 Zero Trust ReportRead more
Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Contact sales
Get started - it's free!
Log in
WireGuard is a registered trademark of Jason A. Donenfeld.
Terms of ServicePrivacy PolicyCalifornia NoticeCookie Notice
© 2025 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.
Blog|productAugust 22, 2025

This month at Tailscale: Visual policy editor, state encryption, and Grafana Cloud

Darker green shapes, like squares and cut circle corners, against a lighter green background.
We continuously ship updates to make your network more reliable, manageable, and secure. Each month, we highlight some of the most impactful changes across clients, admin tools, integrations, and infrastructure—so you can stay on top of what’s new and what’s better.

This month's updates include a visual policy editor, encryption of data at rest, and a Grafana Cloud integration. For instructions on how to update to the latest version, visit our update guide.

Visual policy editor

Tailscale now gives you the option of using web-based forms, buttons, and other visual tools to manage your tailnet access permissions. The visual policy editor, now in beta, provides an alternative to the policy editor's HuJSON format (JSON for Humans), but it's not a replacement. You can switch back and forth between JSON writing and visual tools, use visual tools to preview changes made in JSON, and individual users and administrators can pick their preference.

Encrypting data at rest

With the latest client releases, Tailscale now encrypts its state file while it is stored on disk, or at rest. This makes it much harder for attackers with disk access to "clone" nodes or otherwise disrupt tailnet operation. Read more about how it works, on every OS, in our blog post.

Grafana Cloud integration

Tailscale and Grafana have partnered on a new integration that can securely connect data sources inside a tailnet to a Grafana Cloud stack, without exposing data sources to the public internet. Read more, and sign up for onboarding, at our blog post.

Client updates

Tailscale v1.86.0, 1.86.2, and 1.86.4

We released a series of updates and fixes to improve security and stability across all platforms.

All platforms

  • tsStateEncrypted device posture attribute available
  • Recommended exit node can now be set with tailscale up —exit-node=auto:any and tailscale set —exit-node=auto:any. Clients will automatically switch to recommended exit nodes when available exit nodes or network conditions change. (Windows/Mac/Linux)
  • Hostnames are now verified as expected when using CONNECT HTTPS proxy to connect to the control plane.
  • Fixed a cross-site request forgery (CSRF) issue that may have resulted in a log in error when accessing the web interface.
  • Fixed tailscale syspolicy CLI command output displaying correctly when the KeyExpirationNotice or ReconnectAfter system policies are configured (Windows/Mac).

Android

Fixed a persistent notification asking users to pick a directory for Taildrop files. The notification now only displays on the first attempt to use the feature.

iOS

Fixed issues with Shortcut actions, Taildrop sending, and keychain resets.

Windows

  • tailscale syspolicy CLI command output displays correctly when the KeyExpirationNotice or ReconnectAfter system policies are configured.
  • A system tray icon now shows when a selected exit node is unavailable.
  • Mullvad exit node picker hides after switching from a profile with Mullvad exit nodes to one without any exit nodes.

macOS

  • OnboardingFlow system policy enforces the suppression of the onboarding flow that displays when the client is installed. This replaces the deprecated TailscaleOnboardingSeen system policy.
  • Remove all accounts option added to the Debug menu.
  • Fixed Shortcut action issues
  • EncryptState system policy changes are applied without needing to restart the system extension

All of these fixes and changes are available in the current stable release, 1.86.4.

Container, Kubernetes, and tsrecorder updates

The 1.86.5 release for containers, Kubernetes, and tsrecorder contained library updates, along with a Kubernetes DNS lookup fix for certain API server proxy configurations.

Container image v1.86.2 and 1.86.5

Note: We previously referred to this as the Tailscale Docker image and now refer to it more generically as the Tailscale container image.

  • Improved direct connectivity to ProxyGroup Pods by using external node IP addresses as static endpoints.
  • Pod-specific state is cleared on start when running in Kubernetes.

Kubernetes operator v1.86.2

A number of new features and fixes were added to the Kubernetes operator, including:

tsrecorder v1.86.2

  • Library updates only

That's everything for this month. If you have questions or feedback, we're here to help. Thank you for using Tailscale.

Share

Author

Headshot of Kevin PurdyKevin Purdy
Loading...

Try Tailscale for free

Get started
Schedule a demo
Contact sales
cta phone
mercury
instacrt
Retool
duolingo
Hugging Face