The flagship conference for engineering, security, and IT leadersJoin us at TailscaleUp 2026
Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Schedule a demo
Get started - it's free!
Log in
WireGuard is a registered trademark of Jason A. Donenfeld.
Terms of ServicePrivacy PolicyCalifornia NoticeCookie Notice
© 2025 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.
Blog|productDecember 19, 2025

This month at Tailscale for December 2025

Light and medium-dark green shapes, like ovals, circles, and squares, against a very dark green background.
We continuously ship updates to make your network more reliable, manageable, and secure. Each month, we highlight some of the most impactful changes across clients, admin tools, integrations, and infrastructure—so you can stay on top of what’s new and what’s better.

Here's a rundown of what's changed in Tailscale's software lately. There are fixes, changes, updates to some of the latest features (announced during Fall Update Week), and more. For instructions on how to update to the latest version, visit our update guide.

Note: This month's post will cover November and most of December 2025, owing to awkward back-to-back U.S. holiday timing.

Changes

IP changes to Tailscale's logging infrastructure

The domain log.tailscale.com resolves to static IP address ranges registered and managed by Tailscale. If IP-based rules are required for your firewall, use the IPv4 range 199.165.136.0/24 and the IPv6 range 2606:B740:1::/48.

For more on configuring firewall rules (which most setups do not require), see our documentation on firewall ports.

Client updates

We released a series of updates and fixes to improve security and stability across all platforms. This summary covers versions 1.90.6 through 1.92.3.

Tailscale v1.92.3

All platforms

  • Routes no longer stall and fail to apply when updated repeatedly in a short period of time
  • Panic issue related to Peer Relays resolved
  • Deadlock issue no longer occurs when handling Peer Relays endpoint allocation requests
  • Memory leak in Peer Relays is resolved
  • tailscaled no longer deadlocks during event bursts
  • The client no longer hangs after wake up when port mapping is in use and interfaces are slow to become available
  • Tailscale Funnel and Tailscale Serve support the PROXY protocol
  • Tailscale Peer Relays can use static endpoints using the tailscale set command with the --relay-server-static-endpoints flag.
  • Tailscale Services can be configured to use a remote target as a service destination
  • Nodes can authenticate using workload identity federation with the tailscale up command flags --client-id and --id-token
  • Network flow logs automatically record node information about itself and peers it communicates with.
  • Tailnet Lock command tailscale lock log --json response returns Authority Update Messages (AUMs) in a more stable format
  • Tailscale Peer Relay endpoint advertisements include more candidate IP:port pairs
  • Tailscale Peer Relays support multiple, forward bind packets per handshake generation, which improves path selection and chances of completing a handshake
  • App connector routes no longer stall and fail to apply when updated repeatedly in a short period of time
  • WireGuard configuration that occurs automatically in the client, no longer results in a panic

macOS

  • Connectivity issue related to sleep and wake is resolved
  • Taildrop works as expected using the macOS Share option
  • Redundant label text for VoiceOver is removed from the exit node picker
  • Tailscale system extension no longer fails to install during an upgrade

Linux

iOS

  • Taildrop supported nodes are shown in Device Details
  • Redundant label text for VoiceOver is removed from the exit node picker

Android

  • DNS continues working when switching from cellular to Wi-Fi connections
  • An issue in custom control servers (Headscale) that could result in connectivity problems is resolved.

Container, Kubernetes, and tsrecorder updates

These summaries cover versions 1.90.6 through 1.92.4. There are library updates, in addition to these fixes and changes.

Container image v1.92.4

  • Nodes without the tailscaled --statedir flag or the TS_STATE_DIR environment variable no longer fail to enforce signing checks in tailnets with Tailnet Lock enabled. This fix addresses a security vulnerability described in TS-2025-008.
  • tailscaled no longer deadlocks during event bursts
  • The client no longer hangs after wake up when port mapping is in use and interfaces are slow to become available
  • iptables can be used on hosts that don't support nftables, as expected
  • Ensure errors for background certificate renewal failures are logged.

Kubernetes operator v1.92.4

  • The operator supports workload identity federation for authenticating to a tailnet using provider-native identity tokens
  • tailscale.com/http-redirect annotation can be applied to Ingress resources for enabling HTTP to HTTPS redirects
  • The operator defaults to using the stable image for nameservers deployed using the DNSConfig resource
  • Recorder resources can specify a replica count for highly available deployments. Using multiple replicas requires using an S3 storage backend
  • ArgoCD compatibility is improved. You can use both boolean and string values when setting the apiServerProxyConfig.mode and apiServerProxyConfig.allowImpersonation values.
  • The operator correctly reconciles managed Ingresses sharing the same namespace as other unmanaged Ingresses
  • ProxyGroup backed ingresses no longer get stuck during deletion if they use a Tailscale Service that had been deleted

tsrecorder v1.92.4

  • tsrecorder can use a file containing an auth key for authentication using the TS_AUTHKEY_FILE environment variable

Those are the highlights for the last two months. If you have questions or feedback, we're here to help. Thank you for using Tailscale.

Share

Author

Headshot of Kevin PurdyKevin Purdy
Loading...

Try Tailscale for free

Get started
Schedule a demo
Contact sales
cta phone
mercury
instacrt
Retool
duolingo
Hugging Face