This month at Tailscale for March 2026

Here's a rundown of what's changed in Tailscale's software since our last blog update in late January 2026. There are changes to clients, integrations for new Tailscale features, and other updates. For instructions on how to update to the latest version, visit our update guide.

Changes

Tailscale Winter Update changes

Tailscale added a number of new features during Winter Update Week in late Feburary 2026, including:

• Aperture by Tailscale, an AI gateway that makes distributing AI access, and visualizing AI usage, much easier.
• Tailscale Peer Relays, Tailscale Services, and workload identity federation became generally available
• Kubernetes API proxy audit logging, actor identifiers in network flow logs, and identity-enriched SSH log logs on Linux are now available
• Device posture integrations for Fleet and Huntress are available.
• Log streaming support is extended to Google Cloud Storage (GCS)

Windowed UI on macOS

Starting with version 1.96.2, the macOS client now includes a windowed interface, providing easier access to useful tools, network data, and tools like Taildrop and Tailscale ping.

Client updates

v1.96.4

These notable changes are inclusive of all updates from versions 1.94.1 to 1.96.4. For detailed notes on each release, see our changelog.

All platforms

• Fixed: Ping view is Tailscale Peer Relay aware (all platforms)
• Changed: Tailscale Services virtual IPs are now automatically accepted by clients across all platforms regardless of the status of the --accept-routes feature.
• Changed: Tailscale Peer Relays deliver improved throughput through monotonic time comparison optimizations and reduced lock contention.
• Changed: The tailscale lock status -json command returns tailnet key authority (TKA) data in a stable format.
• New: --audience flag added to tailscale up command to support auto generation of ID tokens for workload identity.
• New: Identity tokens are automatically generated for workload identities.
• New: tailscaled_peer_relay_forwarded_packets_total and tailscaled_peer_relay_forwarded_bytes_total client metrics are available for Tailscale Peer Relays.
• New: tailscaled_home_derp_region_id client metrics are available.
• Fixed: Memory leak caused by high network map response rates is resolved.
• Changed: For 1.96.x, Go is updated from version 1.25 to 1.26.tailscale dns query|status command supports --json flag to return JSON output.
• New: tailscale wait [flags] command waits for Tailscale resources to become available for binding.
• New: tailscale ip command supports --assert=<specific-ip-address> flag to assert that one or more of the node's IP addresses matches the specified IP address.
• New: tailscale version —track and tailscale update --track support release-candidate flag to check for and update to release candidate builds.
• Fixed: The AuthKey system policy applies only when a user is not in a logged in state.
• Fixed: UPnP routes as expected during long lived port mapping sessions scenarios, including hard NAT.

Linux

• An issue on forks of Linux caused by fallback-on-ENOSYS logic is resolved.
• An issue that could cause a segmentation violation during startup on MIPS devices is resolved.
• New: Launch the systray application on startup using autostart file with the tailscale configure systray --enable-startup=freedesktop command.
• Changed: Scaling of Tailscale Peer Relays UDP sockets is gated by container-aware GOMAXPROCS defaults.
• Fixed: Firewall rules created on Linux platforms correctly mark their traffic, avoiding reverse path filtering dropping connections and producing health warnings and risk prompts.
• Fixed: OpenWrt versions 25.12.0 or later using apk as a package manager supports Tailscale updates.
• New: Custom DERP servers support Google Cloud Platform (GCP) Certificate Manager.
• New: Tailscale SSH authentication, when successful, results in LOGIN audit messages being sent to the kernel audit subsystem.
• Changed: Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket option is supported on multi-core systems.
• Fixed: Tailscale Peer Relay server handshake transmission is guarded against routing loops over Tailscale.
• Fixed: MagicDNS always resolves when using resolve.conf without a DNS manager.

macOS

• New: AuthBrowser.macos system policy sets a preferred browser for opening automatic authentication URLs.
• New: HideDockIcon system policy determines if the Tailscale Dock icon persists after all Tailscale windows close.
• New: Install and automatically update to release candidate versions of the client in the About section, Release Channel drop-down.
• Fixed: DNS related health warnings no longer display when Tailscale DNS is disabled.
• Fixed: tssentinelId command injection vulnerability has been removed. This fix addresses a security vulnerability described in TS-2026-001.
• Fixed: Ping view is Tailscale Peer Relay aware.Windowed UI mode for macOS is generally available.
• New: Double click an account in the Accounts section to switch to that account.
• New: A progress dialog indicates Tailscale is waiting on the browser to complete reauthentication.
• Fixed: The open source variant of Tailscale on macOS sets the node:osVersion attribute.
• Fixed: The Taildrop Send File action and shortcut do not transmit empty files on macOS Tahoe (version 26) or later.
• Fixed: Tailscale data directories for the macOS standalone version are excluded from Time Machine backups.
• Fixed: An issue that required a machine reboot after installing a Tailscale update is resolved.

Windows

• Fixed: DNS resolution issue caused by NRPT rule formatting is resolved.

iOS

• Changed: iOS bug report ID displays in its entirety instead of being truncated.
• Fixed: The Taildrop Send File action and shortcut do not transmit empty files on iOS version 26 or later.

Android

• Fixed: An issue causing a deadlock when disconnecting from a tailnet is resolved.

tvOS

• New: Use Tailscale Subnets toggle is added in Subnet Routing Settings.

Synology

• Fixed: An issue on forks of Synology Linux cause by fallback-on-ENOSYS logic is resolved.

Workload identiy federation

• New: Workload identity federation supports provider-native identity token authentication for GitOps for Tailscale with GitHub Actions and GitOps for Tailscale with GitLab CI.
• New: Token exchange error details for a federated identity can be found in the Trust credentials page of the admin console.

Container, Kubernetes, and tsrecorder updates

Container image v1.94.1

• New: OAuth and workload identity federation support has been added for containers.

Kubernetes operator v1.94.2

• Fixed: Configuring a single invalid Tailscale FQDN for an egress will no longer cause the egress to crash. It will instead log the error and continuing serving traffic.
• New: The Egress proxy can now send traffic to Tailscale service VIPs.
• New: Use Kubenetes API server proxy audit logging (beta) to record Kubernetes API events on your cluster, in addition to or instead of entire recordings, that pass through your Kubernetes Operator API server proxy.
• Fixed: In high availability (HA) mode, the write replica no longer serves stale TLS certificates after renewal.
• Fixed: Setting container resources for the Tailscale container will no longer result in an invalid value error for “1Mi.”

tsrecorder v1.94.1

This version contains no changes except for library updates.

Those are the highlights for recent weeks. If you have questions or feedback, we're here to help. Thank you for using Tailscale.