Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Contact sales
Get started - it's free!
Log in
WireGuard is a registered trademark of Jason A. Donenfeld.
Terms of ServicePrivacy PolicyCalifornia NoticeCookie Notice
© 2025 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.
Blog|productJuly 25, 2025

This month at Tailscale: Tailnet Lock, Control plane IP changes, and headless Windows runners

Image of stacked shapes in various shades of green, against a darker green background.
We continuously ship updates to make your network more reliable, manageable, and secure. Each month, we highlight some of the most impactful changes across clients, admin tools, integrations, and infrastructure—so you can stay on top of what’s new and what’s better.

This month's updates include the general availability of Tailnet Lock, a shift and simplification in Tailscale's control-plane domains, and a fix to GitHub Actions on headless Windows runners. For instructions on how to update to the latest version, visit our update guide.

Tailnet Lock is generally available

Tailnet Lock, first introduced in December 2022, provides even more security and control for your tailnet by allowing you to take over control of signing nodes and keys. With Tailnet Lock, you can use Tailscale without having to trust Tailscale. After testing with thousands of tailnets, Tailnet Lock is now ready for production use.

Tailnet Lock uses a Trust On First Use (TOFU) model, letting you create your signing nodes and disablement secrets, then removing Tailscale's role from signing on new nodes to your tailnet. It's up to you whether you share a disablement secret with Tailscale's support team, offering a way to disable Tailnet Lock in case of emergency. Since Tailnet Lock's announcement, we've also added safeguards against removing all signing nodes, and included webhook events to help with node signing, alerts, and audits.

You can read more on how Tailnet Lock works in our whitepaper and get started with it using our documentation.

Changes to Tailscale's control plane IP ranges

Tailscale does not typically require firewall rule changes to function. But if IP-based firewall rules are necessary, Tailscale can be managed with the IPv4 range 192.200.0.0/24 and the IPv6 range 2606:B740:49::/48 . More information is available in our docs on firewall ports.

GitHub Action fix for headless Windows runners

Windows-based runners without a graphical interface would fail to run the Tailscale GitHub Action on some systems, due to a missing --unattended argument to enable unattended mode.

Client updates

Tailscale v1.84.3 (June 26)

  • Android TV: Internal issue fix; exclusive release for Android TV.

Docker, Kubernetes, and tsrecorder updates

Docker image v1.84.3

  • Library updates only

Kubernetes operator v1.84.3

  • Fixes High Availability (HA) Ingress proxy startup issue with issuing TLS certificates

tsrecorder v1.84.3

  • Library updates only

That's everything for this month. If you have questions or feedback, we're here to help. Thank you for using Tailscale.

Share

Author

Headshot of Kevin PurdyKevin Purdy
Loading...

Try Tailscale for free

Get started
Schedule a demo
Contact sales
cta phone
mercury
instacrt
Retool
duolingo
Hugging Face