New and more granular OAuth scopes
- New scopes for OAuth clients have been added with more granular permissions. Existing OAuth clients using the previous set of scopes, and keys generated using these clients, are still valid.
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
Note: v1.76.4 and v1.76.5 were internal-only releases.
Note: v1.76.3 includes fixes for Windows devices only, and is exclusively released for Windows.
Note: v1.76.2 includes fixes for Android TV devices only, and is exclusively released for Android.
tailscale netcheck
CLI command no longer crashes when performing diagnostics on networks lacking UDP connectivity.SERVFAIL
responses no longer cause DNS timeouts when using an exit node./bin/login
is missing.A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
Note: This version contains no changes except for library updates.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
TS_STATE_DIR
environment variable. The state directory also defaults to /tmp/
for all tsrecorder installations that explicitly set the statefile location.acceptEnv
field.acceptEnv
field..pkg
installer for the standalone variant prevents potential conflicts by showing a warning if it detects a Homebrew install of Tailscale.Tailscale v1.74.2 addresses an issue for iOS, and is exclusively released for that platform.
expiry
and comment
parameters have been added to the Set custom device posture attributes endpoint of the device posture attribute API.Tailscale v1.74.1 addresses issues for Linux and Android, and is exclusively released for those platforms.
Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
Note: This version contains no changes except for library updates.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
tsrecorder
to Kubernetes.ProxyClass
can now be specified for the Kubernetes Operator proxies. If you are using Helm, the default ProxyClass
can be configured in the proxyConfig.defaultProxyClass
Helm value or set using PROXY_DEFAULT_CLASS
environment variable.A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
Note: This version contains no changes except for library updates.
v0.17.0 of the Tailscale Terraform Provider has been released with the following changes:
tailscale_webhook
.tailscale_contacts
.tailscale_posture_integration
.tailscale_logstream_configuration
.tailscale_tailnet_settings
.tailcale_dns_split_nameservers
now properly removes the previous domain value.tailcale_users
.tailscale_user
.AuthKey
system policy can be used to authenticate a device with Tailscale using an MDM solution.tailscale dns
CLI command is added for accessing Tailscale DNS settings and status.tailscale set -—accept-dns
or tailscale up -—accept-dns
is enabled and the Override local DNS option in the DNS page of the admin console is disabled.Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.
Tailscale v1.72.2 addresses issues for macOS, iOS, and tvOS, and is exclusively released for those platforms.
Tailscale v1.72.1 addresses a Linux-specific issue, and is exclusively released for the Linux platform and containers.
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
/healthz
can be enabled by setting TS_HEALTHCHECK_ADDR_PORT
to [addr]:port
.A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
DNSConfig CRD
reconcile logic is fixed for dual-stack clusters.A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
tailscale cert
command now contains the --min-validity
flag. Use this flag to request a specified minimum remaining validity on the returned certificate. This flag is intended for automation, like cron jobs, that periodically refreshes certificates.tailscale lock
command now supports passing keys as files. To pass a key as a file, use the prefix file:
followed by the path to the file: file:<path-to-key-file>
.Note: macOS 10.15 Catalina is no longer supported. See the v1.60.0 changelog for our initial end of life announcement.
via
are included in the Preview rules tab of the Access Controls page of the admin console.src
in ACL rules supports all role-based autogroups.We have added the following endpoints to Tailscale's public API:
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.
Service
status now includes a custom Tailscale proxy status condition.kubectl exec
sessions.Service
is deleted.A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
tsrecorder
now plays session recordings for interactive sessions initiated by a command that explicitly specifies shell.AllowedSuggestedExitNodes
system policy. Applies only to platforms that support system policies.tailscale set
command).tailscale
command.tailscale update
command now works correctly.auto:any
to automatically select an exit node for the existing ExitNodeID
system policy. Available for Enterprise plan users only.AllowedSuggestedExitNodes
system policy restricts which exit nodes Tailscale recommends or automatically selects.tailscale update
command now works correctly.Note: As previously announced, Tailscale v1.70 is the last version to support macOS 10.15 Catalina. macOS 10.15 is no longer supported by Apple and no longer receives security updates. Users still running macOS 10.15 should update to a newer version of macOS to continue receiving security updates and new features.
auto:any
to automatically select an exit node for the existing ExitNodeID
system policy. Available for Enterprise plan users only.ExitNodeID
system policy.auto:any
to automatically select an exit node for the existing ExitNodeID
system policy. Available for Enterprise plan users only.wireguard-go
memory pool deadlock issue is resolved.auto:any
to automatically select an exit node for the existing ExitNodeID
system policy. Available for Enterprise plan users only.wireguard-go
memory pool deadlock issue is resolved.wireguard-go
memory pool deadlock issue is resolved.We have added the following endpoints to Tailscale's public API:
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS
. To learn more, see Performance best practices.tailscaled
state in a Kubernetes Secret
can now be enforced to read the Kubernetes API server address and port from the environment variables KUBERNETES_SERVICE_HOST
and KUBERNETES_SERVICE_PORT_HTTPS
. By default, the values are read from the Kubernetes Service
in the default namespace. To enforce the environment variables, set TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV
to true
.A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.
proxyClass.spec.tailscale.acceptRoutes
field. To learn more, see our ProxyClass documentation.A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
--state
flag or the TS_STATE
environment variable can be used to specify a Kubernetes Secret
as tailscaled
state store when deploying the tsrecorder
container.--dst
flag for destination can be set as the environment variable TSRECORDER_DST
when deploying the tsrecorder
container.--bucket
flag for the S3 bucket name can be set as the environment variable TSRECORDER_BUCKET
when deploying the tsrecorder
container.--hostname
flag for the hostname can be set as the environment variable TSRECORDER_HOSTNAME
when deploying the tsrecorder
container.--ui
flag for the user interface can be set as the environment variable TSRECORDER_UI
when deploying the tsrecorder
container.tailscale lock status
now prints the node's signature..exe
installer no longer downloads MSI packages for Windows 7 and Windows 8, automatically. See the v1.42.0 changelog for our initial end of life announcement./usr/local/bin
by going to Settings, CLI integration, then Show me how..pkg
installer terminates pre-existing copies of Tailscale and the VPN extension before proceeding with installation if Tailscale was already installed.Using Exit Node
label no longer appears incorrectly in the app menu before completing onboarding, upon the first time app launch.ManagedByOrganizationName
system policy.Note: The Tailscale client releases for containers such as the Kubernetes operator, Docker image, and tsrecorder are typically released a few days after the initial client release. A separate changelog will be published when client updates for containers are available.
autogroup:danger-all
is used in ACLs.Note: Tailscale v1.66.2 was an internal-only release.
tailscale up
.ExternalName
Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names.ProxyClass
CRD.
Refer to ProxyClass
API.tailscaled
metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass
CRD. Note that the tailscaled
metrics are unstable and will likely change in the future. Refer to ProxyClass
API.ProxyClass
. Refer to ProxyClass
API.init
container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #11867.Secret
is pre-created for the tailscaled
state. Refer to #11326.tailscaled
state Secret
. Refer to #11326.This release is exclusively for Linux platforms and the standalone variant of the macOS client. It is not available for other platforms.
tailscale set
command flags --netfilter-mode
, --snat-subnet-routes
, and --stateful-filtering
are added.nftables
rules for stateful filtering, introduced in v1.66.0.*
when used in the src
field in ACLs has been changed. Previously, *
expanded to include any IPv4 and IPv6 address. With this change, *
expands to all Tailscale IP addresses and all IP addresses from approved subnet routes.autogroup:danger-all
ACL type has been added, which matches the previous definition of *
when used in the src
field. If you are using default ACLs or have specified *
in src
, you don't need to make any ACL changes to get the new secure behavior.We recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements.
--stateful-filtering
flag for the tailscale up
to enable stateful filtering for subnet routers and exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false
command.
tab
key to complete the item being typed. Set up tab completion by using the tailscale completion
command.tailscale exit-node suggest
command to automatically pick an available exit node that is likely to perform best.--stateful-filtering=false
in addition to --snat-subnet-routes=false
on new subnet routers. Existing subnet routers with --snat-subnet-routes=false
will default to --stateful-filtering=false
..txt
file from the Bug Report view to help the Tailscale support team diagnose issues.We've rebuilt the Android app from the ground up, adopting a similar design that we've previously rolled out on iOS and using the latest Android best practices.
tailscale serve
headers are now RFC 2047 Q-encoded.100.100.100.100
..pkg
installer no longer requires a system restart after installing the client (Standalone variant only).tailscale configure kubeconfig
now respects KUBECONFIG
environment variable.tailscale configure kubeconfig
now works with partially empty kubeconfig
.msiexec
to reboot the operating systemdevices
and personal access tokens belonging to users with the IT admin user roletailscale bugreport
command for generating diagnostic logs now contain ethtool informationManagedByOrganizationName
, ManagedByCaption
, and ManagedByURL
system policy keys are now supported.pkg
installer package is now available for the standalone release of the Tailscale clientsshTests
ACL top-policy section lets you write assertions about your SSH access rules and functions similarly to ACL tests
, but for Tailscale SSHuser:*@<domain>
ACL autogroup allows access for any user whose login is in the specified domain and is a direct member of the tailnetlocalpart:*@<domain>
ACL autogroup allows Tailscale SSH access to a user on the host whose name matches the local-part of the user's Tailscale login8080
to other devices in your tailnet works as expectedtailscale status
and tailscale exit-node list
.Note: Free trials are available for business customers. For details about billing, plan comparison, and support, see Pricing & Plans FAQ. For instructions on how to change your plan, see Modify billing.
tailscale status
command output now includes location-based exit nodestailscale web
command flag --read-only
is added to run the web UI in read-only modetailscaled
could be slow or cause increased CPU usage with large routing tablesNote: Tailscale v1.60.0 is built with Go 1.22 and Go 1.22 is the last release that will run on macOS 10.15 Catalina (source). We are providing notice that around August 15, 2024, Tailscale will be built with Go 1.23 at which time macOS users that want to run the latest version of Tailscale will require macOS 11 Big Sur or later. Note that macOS 10.15 Catalina is no longer supported by Apple and is no longer receiving security updates.
ProxyClass
custom resource that allows you to provide a custom configuration for cluster resources that the operator creates/
) suffix*
wildcard in a tailnet policy file or configuration flow. Instead, tag all app connectors and then use the tags as a selector. Existing *
configurations will need to update to a tag-based selector upon the next tailnet policy file change. For details, see Wildcard connectors no longer supported.Note: The 1.58.1 release needed to be re-done. Use 1.58.2 instead.
Note: Rollout of 1.58.0 paused on 21-Jan-2024 while we investigate reports of a regression with portmapping.
KeyExpirationNotice
system policy is now supported to customize the time interval before a key expiration notice is displayed to the userKeyExpirationNotice
system policy is now supported to customize the time interval before a key expiration notice is displayed to the usernetsh.exe
uses the absolute path instead of the relative pathExact
path type is usedtailscaled
using a mounted config filetailscale serve
and tailscale funnel
that allowed low-privilege users to serve files they did not have access to (TS-2024-001). This release is intended for Windows 7 and 8 users. Those with later versions of Windows should run the latest stable version of Tailscale, which is 1.56.1. This issue was resolved in Tailscale 1.52.login.tailscale.com
login.tailscale.com
login.tailscale.com
tailscale whois
command shows the machine and user associated with a Tailscale IP addresstailscale switch --list
command shows name and profile ID to disambiguate profiles with common login namestailscale update
command is supported for Unraidcontainerboot
symlinks its socket file if possible, making the Tailscale CLI work without --socket=/tmp/tailscale.sock
/etc/resolv
file formatting with Tailscaled-on-macOS is improvedService
annotationproto
field is now supported in ACL testsfd7a:115c:a1e0::/48
. Previously IPv6 addresses were assigned from fd7a:115c:a1e0:ab12::/64
."checkPeriod": "always"
in your tailnet policy file from the Access controls page of the admin consoletailscale serve
and tailscale funnel
that allowed low-privilege users to serve files they did not have access to if the machine administrator had previously granted that user tailscale up --operator
privilege (TS-2024-001)tailscale update
command for the standalone macOS applicationtailscale update
commandtailscale cert
command renews in the background. The current certificate only displays if it has expired.tailscale status
command displays a message about client updates when newer versions are availabletailscale up
command displays a message about client updates when newer versions are availabletailscale set
command flag --auto-update
is added to opt in to automatic client updates (beta)tailscale serve
and tailscale funnel
commands are updated for improved usabilitytailscale update
command for manual updates is now in betanftables
auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto
is usedNetworkManager
with configured but absent systemd-resolved
, such as EndeavourOSresolvconf
version 1.90 or latertailscale set
command flag --auto-update
is added to opt in to automatic client updates (beta)tailscale serve
and tailscale funnel
commands are updated for improved usabilitytailscale update
command for manual updates is now in betaiphlpsvc
, netprofm
, and WinHttpAutoProxySvc
service dependencies are checked during installationtailscale serve
and tailscale funnel
that allowed low-privilege users to serve files they did not have access to (TS-2024-001)tailscale set
command flag --auto-update
is added to opt in to automatic client updates (beta)tailscale serve
and tailscale funnel
commands are updated for improved usabilitytailscale update
command for manual updates is now in betatailscale update
command is unhidden on most platformstailscale ping
command sends an ICMP Ping code of 0
tailscale web
command updated to use Reacttailscale debug portmap
command now has the --log-http
optiontailscale netcheck
command works even if the OS platform lacks CA certificatesiptables
and iproute2
packages as recommended, not requirednftables
support interoperates with Uncomplicated Firewall (UFW)tailscale bugreport
logs contain additional diagnostic information%20
in file names when sending files to Windows devices%20
in file names when sending files to Windows devicestailscale update
(#8927)tailscale exit-node
subcommand--upstream
flag in the tailscale version
commandtailscale funnel
command provides an interactive web UI that prompts you to allow Tailscale to enable Tailscale Funnel on your behalftailscale serve
command provides an interactive web UI that prompts you to allow Tailscale to enable HTTPS and Tailscale Funnel on your behalfNote: 1.48.0 introduced a regression in the interaction between Tailscale and Linux ufw
. The Linux release has been withdrawn pending a fix.
nftables
tailscale update
command on Alpine, Arch and Fedora distro familiestailscale update
commandtailscale update
commandautogroup:member
in addition to autogroup:members
when referring to all users in a tailnetlogs:read
OAuth scope can be used to grant API access to configuration audit logsnetwork-logs:read
OAuth scope can be used to grant API access to network flow logstailscale serve
Note: This is the last release to support the following operating systems:
• macOS 10.13 High Sierra
• macOS 10.14 Mojave
Tailscale releases after 1.44.0 will no longer install on these operating systems, though we expect to maintain forward compatibility and critical security updates for 1.44.0 with future releases until at least June 30, 2024.
To install Tailscale on a High Sierra or Mojave system, visit the Purchased Items in the App Store Account page. macOS High Sierra or Mojave systems will be offered Tailscale 1.44 when the download link is clicked. If Tailscale does not appear in the Purchased Items it must first be successfully installed using a recent macOS system. The Tailscale app will then be available for the High Sierra or Mojave system to install from Purchased Items.
tailscale serve http
command to serve over HTTP (tailnet only)tailscale ssh
command now supports remote port forwarding--tun-userspace-networking
stability improvements for userspace subnet routersportlist
package. Update to use synchronous Poll()
if this breaks your package.WatchIPNBus
now only requires read-only permissions to readtailscale cert
renewal decision is now based on the lifetime of the certificate instead of hard-coded. This better supports 14 day certificate lifetimes.tailscale ssh
support improvements for Security-Enhanced Linux (SELinux) systemstailscale ssh
supports user names with up to 256 charactersbuild_dist.sh
better supports operating systems and CPU architectures which Tailscale release builds do not includenone
, consent
, login
, select_account
) for the user authentication page. If your
tailnet was already using a custom OIDC provider, we updated your setup automatically to use
consent
, which prior to today was the only supported value.Note: This is the last release to support the following operating systems:
• Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows Server 2008
• Microsoft Windows Server 2012
Tailscale releases after 1.42.0 will no longer install on these operating systems, though we expect to maintain forward compatibility and critical security updates for 1.42.0 with future releases until at least May 31, 2024.
Note: Do not install this version of the Tailscale client on macOS 10.13. Upgrade to version 1.44.0 instead.
tailscale serve reset
command to clear out the current
serve configurationgetent
Note: This release switches to a new application signing certificate, which is valid through 2025.
priorityClassName
tailscale cert
command no longer causes timeout failurestailscale up --force-reauth
will now display a warning and 5 second countdown
if you are connected over SSH over Tailscale, unless --accept-risk=lose-ssh
is also givencom.tailscale.ipn.CONNECT_VPN
and com.tailscale.ipn.DISCONNECT_VPN
nodeDeleted
webhook event is now generated when a node is removed from the tailnet, including automatic removal of ephemeral nodesautogroup:billing-admin
and autogroup:auditor
added as autogroupsautogroup:admin
, autogroup:it-admin
, autogroup:network-admin
, and autogroup:owner
added as autogroupstailscale serve
tailscale up --shields-up
simultaneouslytailscale serve
issue that did not use actual SrcAddr
as X-Forwarded-For
tailscale lock tskey-wrap
has been replaced by tailscale lock sign
tailscale lock sign
now supports signing auth keys--tun=userspace-networking
issue running in Azure App Servicessetgroups
and does not
impact other platforms.tailscale configure
command to configure resources that you want to include in your tailnettailscale lock sign
to sign pre-approved auth keys for use with tailnet locktailscale debug derp
command to help diagnose DERP-related difficultytailscale debug capture
command to write packet capturing for debuggingtailscale debug portmap
command replaces tailscaled debug -portmap
. This is now available on platforms without a tailscaled
binary (like the macOS App Store).tailscale serve
command has been overhauledtailscale serve funnel
has been made into its own command, tailscale funnelNote: v1.38.0 was never released.
userNeedsApproval
and userApproved
events are available as webhook eventswebhookUpdated
and webhookDeleted
events are now generated when a
webhook is updated or deleted. These events are
subscribed by default and cannot be disabled.stdout
for scripting with get-authkey
utility--json
flag for the tailscale lock status
and
tailscale lock log
commands--json
flag for the tailscale version
commandtailscale update
command to update clienttailscale debug daemon-logs
to watch server logstailscale status --json
now includes KeyExpiry
time and Expired
boolean on nodestailscale version
now advertises when you're on the unstable (dev) track/etc/resolv.conf
needs to be overwritten for lack of options, a
comment in the file now links to https://tailscale.com/s/resolvconf-overwritetailscaled
as a non-root user works again,
as long as you only SSH to the same user that tailscaled
is running asTS_KUBE_SECRET
(#6704)https://login.tailscale.com
) describes the action taking
place, such as adding a new device or authorizing SSH access. For some actions, like adding a
new node, a second redirection page will be used as a confirmation step.beta.tailscale.net
nameserver if you are no longer using itnodeID
included in all node-related webhook event payloadsbusybox ip
TS_STATE_DIR
in containerboottailscale serve
(#6409)tailscale switch
command to switch between accounts using fast user switchingtailscale login
command to login with a specified accounttailscale set
command to modify configuration settings without needing to repeat the otherstailscale lock
command to manage tailnet lock for your tailnetQ-R-S-T-via-X
(or Q-R-S-T-via-X.yak-bebop.ts.net
), for systems that required dashes instead
of dotstailscale status
health and tailscale up
if there are nodes advertising routes but --accept-routes=false
tailscale login
and tailscale switch
tailscale status
health if something else overwrites
/etc/resolv.conf
tailscale login
and
tailscale switch
commandstailscale login
and
tailscale switch
commandswingoes
for OLE support, use multithreaded apartmentC:\Users\(username)\Downloads
directory (previously they were placed in the C:\Users\(username)\Desktop
directory)run.sh
with cmd/containerboot
tailscaled
,
which can then be used to remotely execute code (CVE-2022-41924, TS-2022-004)Zone.Identifier
alternate data stream for Taildrop filescom.apple.quarantine
flag for Taildrop filesmy-server.yak-bebop.ts.net
instead of
my-server.example.com
. This is a display-only change and doesn't modify the name of any
machines.my-server
or dashboard
.ts.net
instead of .beta.tailscale.net
for the tailnet name
.beta.tailscale.net
. If so, migrate to the new tailnet name. The existing beta.tailscale.net
name remains supported until at least November 1, 2023.nodeAttrs
tailscaled --no-logs-no-support
(or TS_NO_LOGS_NO_SUPPORT=true
environment variable)tailscale bugreport --record
flag to pause and write another bug reporttailscale netcheck
looks for a captive portaltailscaled
derp1-all.tailscale.com
, available for firewall allowlists or other compliance requirementstskey-auth-012345abcdef
instead of tskey-012345abcdef
tailscale licenses
with link to open source licensestailscaled
exists and was using mem:
state storageClose()
/dev/net
permissions in tailscale configure-host
tailscale logout
to remove an ephemeral node from your tailnet immediatelyOneCGNATRoute
setting which controls the routes that Tailscale clients will generatederper
binary.
If you use the default Let's Encrypt mode, no action is requiredExitNodeStatus
to tailscale status --json
tailscale ping -c N
to properly exit after N ping requests even if there are timeoutsSERVFAIL
if all upstream resolvers failssdp:all
ping (hostname)
now works correctlyAllowSameVersionUpgrades
attribute on MajorUpgrade
tag in Windows MSI scripttailscaled
being able to restart while mosh-server is running from an SSH sessiontailscale up --operator=""
clear a previously set operatorssh.exe
over PATH
*.ts.net
DNS name--peerapi <peer>
flag in tailscale ping
to check connectivity to a peer using the PeerAPI--timeout <duration>
flag in tailscale up
to enforce a maximum amount of time to wait for the Tailscale service to initializeLoginInteractive
via LocalAPI
Wake-on-LAN
function to PeerAPI. There is no UI for it currently./run.sh
as an entrypoint for Docker container buildstailscale.com/client/tailscale
package with LocalClient
typeTS_NOLAUNCH
property to allow admins to deploy silent MSI installs without automatically starting the GUIautogroup:members
as a tag owner, to enable device tagging by any
user who is a direct member (not a shared user) of the tailnetfile get --loop
file get --conflict=(skip|overwrite|rename)
group
as an option for the src
field, and
as the host
portion of the accept
and deny
fields.accept
/deny
in
addition to allow
/deny
when specifying destinations that the ACL rules should accept or deny.autogroup:members
to write rules to allow access for users who are direct members (not shared users) of the tailnetuserspace-networking
mode, always close SOCKS proxied connectionstailscaled --state=mem:
registers as an ephemeral node and does not store state to disktailscale status --json
now shows Tags
and PrimaryRoutes
for Peers. PrimaryRoutes
shows whether a HA
subnet router is currently the active one.tailscale status --json | jq .TailnetName
will show the name of the tailnettailscaled
debug server's Prometheus metrics exporter now also includes Go runtime metricstailscaled
supports a new TS_PERMIT_CERT_UID
environment variable containing either a userid or username to
allow to fetch Tailscale TLS certificates for the node. This environment variable can be set in
/etc/default/tailscaled
to permit non-root web servers on the local machine to fetch certs from tailscaled
.--auth-key
and --authkey
both work as tailscale up
arguments/proc/net/route
filestailscale --operator=USER
to use with Taildroptailscale status
failed to look up user from userid
error/var/packages/Tailscale/target/bin/tailscale configure-host
to restore needed
permissions. We recommend adding this as a scheduled task at boot.src
/dst
in
addition to users
/ports
when referring to sources and destinationsautogroup:self
for all tagged nodesautogroup:self
ruleautogroup:self
for users with mixed case accounts (#3954)/proc/net/route
files for
very large routers/etc/resolv.conf
handlingOnly the Synology client released v1.20.3. All other platforms remain with v1.20.2.
tailscaled
now allows running the outgoing SOCKS5 and HTTP proxies on the same port.userspace-networking
modetailscale ip -1
flagOnline
boolean to tailscale status --json
, made tailscale status
show offline nodestailscale up --json
disableIPv4: true
in ACLtailscale file cp
sends via the local tailscaled now, so it now supports tailscaled
running in tun-free, userspace-networking
mode (such as on Synology DSM7 unless you enable TUN mode)proto
specified and allows *
port rangeautogroup:self
to write access rules to allow access to devices authenticated as the same user as the source IP addressip
command to program routes and policy routingtailscaled
debug server now exports Prometheus metrics at /debug/metrics
tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo
) (thank you Maxime Visonneau)/etc/resolv.conf
but pointed it to systemd-resolved
, use systemd-resolved
for DNS not resolvconf/etc/resolv.conf
but pointed it to systemd-resolved
, use systemd-resolved
for DNS not NetworkManager/etc/resolv.conf
being a bind mount into a container, such that we cannot rename()
it.ip
command. Set TS_DEBUG_USE_IP_COMMAND
environment variable to revert to use of /sbin/ip
if this breaks your devicetailscale up --authkey=file:/path/to/secret
supporttailscale up --qr
for QR codeswhile tailscale up; do sleep 0.1; done
loops in Docker startup scripts.tailscale debug
--qr
as part of tailscale up
to generate a QR code for the login URL--tun=userspace-networking
to dial the HTTPS domain name of the Tailnettailscale up
will wait for the socket to tailscaled to be created, not exit with an error. It should no longer be necessary to run it in a loop.Note: v1.14.1 and v1.14.2 were never released.