Blog

Hi, it’s us again. You might remember us from when we made significant performance-related changes to wireguard-go, the userspace WireGuard® implementation that Tailscale uses. We’re releasing a set of changes that further improves client throughput on Linux. We intend to upstream these changes to WireGuard as we did with the previous set of changes, which have since landed upstream.

With this new set of changes, Tailscale joins the 10Gb/s club on bare metal Linux, and wireguard-go pushes past (for now) the in-kernel WireGuard implementation on that hardware. How did we do it? Through UDP segmentation offload and checksum optimizations. You can experience these improvements in the current unstable Tailscale client release, and also in Tailscale v1.40, available in the coming days. Continue reading to learn more, or jump down to the Results section if you just want numbers.

Tailscale Funnel, a tool that lets you share a web server on your private tailnet with the public internet, is now available as a beta feature for all users. With Funnel enabled, you can share access to a local development server, test a webhook, or even host a blog.

Funnel provides a DNS name tied to your node that becomes publicly accessible once enabled. When a user on the public internet requests your service, we use a secure Tailscale tunnel to forward those requests along.

We’re bringing Tailscale out of the network layer and into the real world with Tailscale Up, the first-ever in-person Tailscale community conference, on May 31 in San Francisco. Meet Open Source maintainers, hardware hackers, self-hosters, and Tailscalars (sometimes all the same person) to share stories and workflows, and hear about the latest projects and integrations we’ve been working on.

To stay updated on the latest developments and announcements about Tailscale Up, visit tailscale.dev/up and follow our Twitter and our fediverse account. In the coming weeks, we’ll share updates, including the event’s venue, speaker announcements, and the full schedule. You won’t want to miss out on this unique opportunity to meet and learn from others in the Tailscale community as well as Tailscale team members.

Tailscale’s API gives you programmatic access to many of your Tailscale resources, including devices on your tailnet, access controls in your tailnet policy file, and DNS settings. Today we’re launching two improvements to how you authenticate to the Tailscale API: the ability to create scoped access tokens limited to specific operations, and the ability to continually generate or refresh access tokens using OAuth clients.

Traefik, the popular load balancing and reverse proxy tool, has added support for Tailscale as a certificate resolver in Traefik Proxy 3.0 beta, the latest release of its forward proxy offering. Today, one of the engineers behind this integration has published a fun deep dive into how it works and how they’re using Tailscale to help with testing at Traefik.

This new feature means you can now access HTTPS-enabled services on your tailnet behind Traefik Proxy, without the headache of separately handling certificates or exposing an endpoint to resolve TLS challenges from Let’s Encrypt. Instead, Tailscale can manage your certificate life cycle and automatically renew your Let’s Encrypt certificate, and will do so under this setup as long as Traefik is running.

As we took a few days away from our keyboards over the holidays, we here at Tailscale also spent time reflecting on the year we had in 2022, which seemed to come and go before we knew it. It was quite a journey — and we wanted to share with you some highlights from what was a decidedly lively and groundbreaking year for us.

When setting up cloud infrastructure for your team, it often makes sense to provision sensitive services in private subnets. However, this usually means that those services are not easily accessible from your personal devices or CI/CD infrastructure. Tailscale already makes it possible to access those services by adding a private subnet router to your tailnet. But what happens if you need to quickly access something in a private subnet and then immediately terminate that connection?

Most organizations already have existing infrastructure, so the need to access or debug something in a private subnet is a relatively frequent problem. That’s why Pulumi has worked hard to create a way to quickly provision ephemeral VPN connections that you can spin up and tear down quickly. Connecti is a command line tool written in the Go programming language using Pulumi’s automation API, that allows you to declaratively provision Tailscale subnet routers in seconds without writing a single line of infrastructure code.

Pulumi is an open source infrastructure as code platform for creating, deploying, and managing cloud infrastructure. Pulumi works with both traditional infrastructures like VMs, networks, and databases, in addition to modern architectures such as containers, Kubernetes clusters, and serverless functions.

Continue reading to learn more about Tailscale and Connecti from Pulumi software engineer and Connecti creator Lee Briggs.

We’re pleased to announce that user & group provisioning for Okta is now generally available. You can sync group membership and deactivated users from Okta, and refer to a synced group as part of an access rule in your tailnet policy file.

Today we are happy to announce that Crunchy Bridge has integrated with Tailscale to provide easy access to your database from any of your devices, wherever they are running. Crunchy Bridge is a managed Postgres product that runs your database for you on your choice of cloud.

Users sometimes ask us, “How can I trust Tailscale?” From the beginning, we’ve tried to make it so you don’t have to, by architecting our infrastructure with security and privacy in mind. When you use Tailscale, your data is end-to-end encrypted. Tailscale doesn’t have the private key, so we can’t see your traffic. While Tailscale can’t observe the data transiting your tailnet, we are responsible for managing the control plane, where our coordination server distributes public keys and settings for your tailnet.

Which brings us to one glaring issue that has remained with our architecture: You have still needed to trust our coordination server. What if we were malicious, and stealthily inserted new nodes into your network? Tailscale could hypothetically use a secretly-added node to send or receive traffic to your existing nodes — meaning it wouldn’t matter that the traffic is encrypted because the peer itself would be malicious.

You should decide who to trust when it comes to your tailnet’s coordination server and how nodes are added to your tailnet. We don’t want you to have to trust us to get it right. So today, we’re taking the first steps with tailnet lock, a security feature where your nodes verify the public keys distributed by the coordination server before trusting them for network connectivity.

We made significant improvements to the throughput of wireguard-go, which is the userspace WireGuard® implementation that Tailscale uses. What this means for you: improved performance of the Tailscale client on Linux. We intend to upstream these changes to WireGuard as well.

You can experience these improvements in the current unstable Tailscale client release, and also in Tailscale v1.36, available in early 2023. Read on to learn how we did it, or jump down to the Results section if you just want numbers.

Fast user switching has come to Tailscale! Starting in v1.34, out today, you’ll be able to quickly switch between Tailscale accounts on the same device, without re-authenticating. (We heard you.)

Today, we’re sharing golink, an open source private URL shortener service for tailnets. Using golink, you can create and share simple go/name links for commonly accessed websites, so that anyone in your network can access them no matter the device they’re on — without requiring browser extensions or fiddling with DNS settings. And because golink integrates with Tailscale, links are private to users in your tailnet without any separate user management, logins, or security policies.

Last week, Tailscale hosted a three-day co-work week to prove Tailscale Runs Anywhere I Need (TRAIN) by traversing the Amtrak Coast Starlight line from Emeryville, CA to Seattle, WA. The week included a shared work day in Berkeley, an overnight on the train, a work day from the train’s observatory, and a work day from a lovely Airbnb in the Queen Anne neighborhood of Seattle.

Tailscale has recently been notified of security vulnerabilities in the Tailscale Windows client which allow a malicious website visited by a device running Tailscale to change the Tailscale daemon configuration and access information in the Tailscale local and peer APIs.

To patch these vulnerabilities, upgrade Tailscale on your Windows machines to Tailscale v1.32.3 or later, or v1.33.257 or later (unstable).

Tailscale lets you put all your devices on their own private tailnet so they can reach each other, ACLs permitting. Usually that’s nice and comforting, knowing that all your devices can then be isolated from the internet, without any ports needing to be open to the world.

Sometimes, though, you need something from the big, scary, non-Tailscale internet to be able to reach your device.

Tailscale is amazing. But you already knew that, right? There’s nothing more satisfying than being able to set up a secure network in seconds, almost like magic — except maybe realizing it’s Friday when you thought it was Thursday, but I digress.

Being a relatively new product, Tailscale is still adding features to make it even easier to use. One of the most requested features from both our enterprise customers as well as individual users are notifications for events happening in your tailnet, such as when new nodes are added or need to be authorized. Before Tailscale introduced the new feature I’m about to mention (shh… I know you saw it in the title, but just pretend you didn’t for a second), there wasn’t really a way for the admin of a tailnet to know if something had changed without constantly stalking the admin console for new warning badges on machines, or scrolling through the configuration audit logs for updates.

During my internship at Tailscale this past summer, I set out to fill this notification gap. (“I” meaning me, Laura the intern, not to be confused with the lovely individual of the same name who has been writing the Tailscale newsletter every month.) As a result of my (and many other peoples’) summer-long efforts, Tailscale now allows you to configure webhooks to notify you of specific kinds of events in your tailnet.

Today, we’re launching a web-based SSH client: Tailscale SSH Console.

From the Tailscale admin console, admins will now see a little “SSH…” button to connect to devices running Tailscale SSH. Click this, and you’ll pop open an SSH client, right in your browser. Tailscale SSH Console is now available in beta.

If you’re managing and using Tailscale along with several other users, it’s hard to keep track of what changes get made, even with audit logs. For example, another admin might make an update, or an event that you need to react to could occur — such as a node needing approval.

Tailscale automatically assigns IP addresses for every unique device in your network, giving each device an IP address no matter where it is located. We further improved on this with MagicDNS, which automatically registers a human-readable, easy-to-remember DNS name for each device —  so you don’t need to use an IP address to access your devices. This means you can access the device monitoring, even if it moves from on-prem to the cloud, without ever needing to know its IP address in the first place.

MagicDNS is such a useful feature that it’s been frustrating for us that not all Tailscale users know about it. We’re surprised that we often get suggestions like, “It would be great if Tailscale could just run a small DNS server for me” — when it already does! So we’re particularly excited to share that as of today, MagicDNS is generally available, and it’s enabled by default for new tailnets! (Already a Tailscale user, but not using MagicDNS yet? Click “Enable MagicDNS” in the DNS page of the admin console to get going.)

If you’re already using MagicDNS, your tailnet has been automatically assigned a new tailnet name of the form tail<hex>.ts.net, in addition to the existing name <domain>.beta.tailscale.net. If you’re sharing nodes with the beta name, we ask you to migrate to the new tailnet name. The existing beta name will be supported until at least November 1, 2023.

Understanding what changes were made to your Tailscale network, and who made them, is critical for maintaining the security and integrity of your network. That’s why we’re making it even easier for admins — and your auditors! — to review changes made to your tailnet’s configuration, such as adding devices, updating ACLs, or changing DNS settings.

Configuration audit logs, now in beta, capture changes made to your network in the coordination server. If you’re an admin of a tailnet, you can access audit logs for your tailnet in the logs tab of the admin console. From the console, you’ll see a table of changes made to your network, with the most recent events first, and you can filter by user, time, and action taken. Configuration audit logs are also available via API.