Note: Tailscale v1.78.2 was an internal-only release.
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
TS_SERVE_CONFIG environment variable.A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
Note: This version contains no changes except for library updates.
Note: Purchasing the Mullvad exit nodes add-on for your trial tailnet will result in changes requiring action. For more information, see the Pricing & Plans FAQ topic.
A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.
Note: This version contains no changes except for library updates.
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
Tailscale client metrics can be enabled using a ProxyClass with the .spec.metrics.enable field set.
All Tailscale container images are annotated with Open Container Initiative (OCI) annotations.
ProxyClass supports configuring topology spread constraints for the Proxy Pods.
Connector Custom Resource Definition (CRD) can be used to configure the Kubernetes Operator to deploy a Tailscale app connector on Kubernetes.
Tailscale running on Kubernetes and using a Kubernetes Secret as a state store writes Kubernetes Events to its Pod when changes occur to the state stored in the Kubernetes Secret. The same is true when there are errors related to reading or writing the state. This should help debugging issues related to transient errors when talking to the Kubernetes API server to retrieve or update the state Secret.
Kubernetes Operator can optionally create a Prometheus ServiceMonitor for proxy resources that have Tailscale client metrics enabled.
Container Storage Interface (CSI) driver volume for the operator's OAuth client credentials can be configured by using Helm values.
Kubernetes Ingress has clearer warnings if it has been deployed to a tailnet that has no HTTPS enabled. Specifically, a new warning in proxy logs and empty hostname on the Ingress status.
tailscale.com/tailnet-ip annotation is validated that it holds a valid IP address.
Timeout for Kubernetes API server calls for reading/updating tailscaled state stored in a Kubernetes Secret has been changed from 5 seconds to the total of 30 seconds for the read/update operation and an operation to emit an Event about the state update. This should reduce errors related to slow API server connections.
The ProxyClass field .spec.metrics.enable enables metrics at both /metrics and /debug/metrics, but /debug/metrics is deprecated. Users relying on /debug/metrics need to set .spec.statefulSet.pod.tailscaleContainer.debug.enable (which is a new field in Tailscale 1.78.1) until Tailscale 1.82.0 releases. When 1.82.0 releases, /metrics and /debug/metrics will both independently default to false.
Kubernetes operator proxy containers created for ingress and egress Service resources, Connectors and ProxyGroups are privileged. This is needed because of recent changes in containerd. For more context, see tailscale/tailscale/pull/14262.
Tailscale running on Kubernetes reads its state from a Secret only once, and that is upon initial start. This should reduce bugs caused by transient issues when connecting to the Kubernetes API server as well as reduce the load on the API server and improve latency for state operations.
Kubernetes Egress Service ports for ProxyGroup can be changed from a single unnamed port to one or more named ports.
Clients should more accurately detect whether they are in a container when checking for updates.
A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.
tailscale metrics command has been added, to expose and collect client metrics for use with third-party monitoring systems.tailscale syspolicy command has been added, to list system policies, reload system policies, or view errors related to the system policies configured on the device.ip:country has been added as a device posture attribute (beta).A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.
Note: v1.76.4 and v1.76.5 were internal-only releases.
Note: v1.76.3 includes fixes for Windows devices only, and is exclusively released for Windows.
Note: v1.76.2 includes fixes for Android TV devices only, and is exclusively released for Android.
tailscale netcheck CLI command no longer crashes when performing diagnostics on networks lacking UDP connectivity.SERVFAIL responses no longer cause DNS timeouts when using an exit node./bin/login is missing.A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
Note: This version contains no changes except for library updates.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.
TS_STATE_DIR environment variable. The state directory also defaults to /tmp/ for all tsrecorder installations that explicitly set the statefile location.acceptEnv field.acceptEnv field..pkg installer for the standalone variant prevents potential conflicts by showing a warning if it detects a Homebrew install of Tailscale.Tailscale v1.74.2 addresses an issue for iOS, and is exclusively released for that platform.
expiry and comment parameters have been added to the Set custom device posture attributes endpoint of the device posture attribute API.Tailscale v1.74.1 addresses issues for Linux and Android, and is exclusively released for those platforms.
Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
Note: This version contains no changes except for library updates.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
tsrecorder to Kubernetes.ProxyClass can now be specified for the Kubernetes Operator proxies. If you are using Helm, the default ProxyClass can be configured in the proxyConfig.defaultProxyClass Helm value or set using PROXY_DEFAULT_CLASS environment variable.A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.
Note: This version contains no changes except for library updates.
v0.17.0 of the Tailscale Terraform Provider has been released with the following changes:
tailscale_webhook.tailscale_contacts.tailscale_posture_integration.tailscale_logstream_configuration.tailscale_tailnet_settings.tailcale_dns_split_nameservers now properly removes the previous domain value.tailcale_users.tailscale_user.AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution.tailscale dns CLI command is added for accessing Tailscale DNS settings and status.tailscale set -—accept-dns or tailscale up -—accept-dns is enabled and the Override local DNS option in the DNS page of the admin console is disabled.Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.
Tailscale v1.72.2 addresses issues for macOS, iOS, and tvOS, and is exclusively released for those platforms.
Tailscale v1.72.1 addresses a Linux-specific issue, and is exclusively released for the Linux platform and containers.
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
/healthz can be enabled by setting TS_HEALTHCHECK_ADDR_PORT to [addr]:port.A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
DNSConfig CRD reconcile logic is fixed for dual-stack clusters.A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.
tailscale cert command now contains the --min-validity flag. Use this flag to request a specified minimum remaining validity on the returned certificate. This flag is intended for automation, like cron jobs, that periodically refreshes certificates.tailscale lock command now supports passing keys as files. To pass a key as a file, use the prefix file: followed by the path to the file: file:<path-to-key-file>.Note: macOS 10.15 Catalina is no longer supported. See the v1.60.0 changelog for our initial end of life announcement.
via are included in the Preview rules tab of the Access Controls page of the admin console.src in ACL rules supports all role-based autogroups.We have added the following endpoints to Tailscale's public API:
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.
Service status now includes a custom Tailscale proxy status condition.kubectl exec sessions.Service is deleted.A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.
tsrecorder now plays session recordings for interactive sessions initiated by a command that explicitly specifies shell.AllowedSuggestedExitNodes system policy. Applies only to platforms that support system policies.tailscale set command).tailscale command.tailscale update command now works correctly.auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.AllowedSuggestedExitNodes system policy restricts which exit nodes Tailscale recommends or automatically selects.tailscale update command now works correctly.Note: As previously announced, Tailscale v1.70 is the last version to support macOS 10.15 Catalina. macOS 10.15 is no longer supported by Apple and no longer receives security updates. Users still running macOS 10.15 should update to a newer version of macOS to continue receiving security updates and new features.
auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.ExitNodeID system policy.auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.wireguard-go memory pool deadlock issue is resolved.auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.wireguard-go memory pool deadlock issue is resolved.wireguard-go memory pool deadlock issue is resolved.We have added the following endpoints to Tailscale's public API:
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS. To learn more, see Performance best practices.tailscaled state in a Kubernetes Secret can now be enforced to read the Kubernetes API server address and port from the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT_HTTPS. By default, the values are read from the Kubernetes Service in the default namespace. To enforce the environment variables, set TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV to true.A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.
proxyClass.spec.tailscale.acceptRoutes field. To learn more, see our ProxyClass documentation.A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.
--state flag or the TS_STATE environment variable can be used to specify a Kubernetes Secret as tailscaled state store when deploying the tsrecorder container.--dst flag for destination can be set as the environment variable TSRECORDER_DST when deploying the tsrecorder container.--bucket flag for the S3 bucket name can be set as the environment variable TSRECORDER_BUCKET when deploying the tsrecorder container.--hostname flag for the hostname can be set as the environment variable TSRECORDER_HOSTNAME when deploying the tsrecorder container.--ui flag for the user interface can be set as the environment variable TSRECORDER_UI when deploying the tsrecorder container.tailscale lock status now prints the node's signature..exe installer no longer downloads MSI packages for Windows 7 and Windows 8, automatically. See the v1.42.0 changelog for our initial end of life announcement./usr/local/bin by going to Settings, CLI integration, then Show me how..pkg installer terminates pre-existing copies of Tailscale and the VPN extension before proceeding with installation if Tailscale was already installed.Using Exit Node label no longer appears incorrectly in the app menu before completing onboarding, upon the first time app launch.ManagedByOrganizationName system policy.Note: The Tailscale client releases for containers such as the Kubernetes operator, Docker image, and tsrecorder are typically released a few days after the initial client release. A separate changelog will be published when client updates for containers are available.
autogroup:danger-all is used in ACLs.Note: Tailscale v1.66.2 was an internal-only release.
tailscale up.ExternalName Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names.ProxyClass CRD.
Refer to ProxyClass API.tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD. Note that the tailscaled metrics are unstable and will likely change in the future. Refer to ProxyClass API.ProxyClass. Refer to ProxyClass API.init container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #11867.Secret is pre-created for the tailscaled state. Refer to #11326.tailscaled state Secret. Refer to #11326.This release is exclusively for Linux platforms and the standalone variant of the macOS client. It is not available for other platforms.
tailscale set command flags --netfilter-mode, --snat-subnet-routes, and --stateful-filtering are added.nftables rules for stateful filtering, introduced in v1.66.0.* when used in the src field in ACLs has been changed. Previously, * expanded to include any IPv4 and IPv6 address. With this change, * expands to all Tailscale IP addresses and all IP addresses from approved subnet routes.autogroup:danger-all ACL type has been added, which matches the previous definition of * when used in the src field. If you are using default ACLs or have specified * in src, you don't need to make any ACL changes to get the new secure behavior.We recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements.
--stateful-filtering flag for the tailscale up to enable stateful filtering for subnet routers and exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false command.
tab key to complete the item being typed. Set up tab completion by using the tailscale completion command.tailscale exit-node suggest command to automatically pick an available exit node that is likely to perform best.--stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false..txt file from the Bug Report view to help the Tailscale support team diagnose issues.We've rebuilt the Android app from the ground up, adopting a similar design that we've previously rolled out on iOS and using the latest Android best practices.
tailscale serve headers are now RFC 2047 Q-encoded.100.100.100.100..pkg installer no longer requires a system restart after installing the client (Standalone variant only).tailscale configure kubeconfig now respects KUBECONFIG environment variable.tailscale configure kubeconfig now works with partially empty kubeconfig.msiexec to reboot the operating systemdevices and personal access tokens belonging to users with the IT admin user roletailscale bugreport command for generating diagnostic logs now contain ethtool informationManagedByOrganizationName, ManagedByCaption, and ManagedByURL system policy keys are now supported.pkg installer package is now available for the standalone release of the Tailscale clientsshTests ACL top-policy section lets you write assertions about your SSH access rules and functions similarly to ACL tests, but for Tailscale SSHuser:*@<domain> ACL autogroup allows access for any user whose login is in the specified domain and is a direct member of the tailnetlocalpart:*@<domain> ACL autogroup allows Tailscale SSH access to a user on the host whose name matches the local-part of the user's Tailscale login8080 to other devices in your tailnet works as expectedtailscale status and tailscale exit-node list.Note: Free trials are available for business customers. For details about billing, plan comparison, and support, see Pricing & Plans FAQ. For instructions on how to change your plan, see Modify billing.
tailscale status command output now includes location-based exit nodestailscale web command flag --read-only is added to run the web UI in read-only modetailscaled could be slow or cause increased CPU usage with large routing tablesNote: Tailscale v1.60.0 is built with Go 1.22 and Go 1.22 is the last release that will run on macOS 10.15 Catalina (source). We are providing notice that around August 15, 2024, Tailscale will be built with Go 1.23 at which time macOS users that want to run the latest version of Tailscale will require macOS 11 Big Sur or later. Note that macOS 10.15 Catalina is no longer supported by Apple and is no longer receiving security updates.
ProxyClass custom resource that allows you to provide a custom configuration for cluster resources that the operator creates/) suffix* wildcard in a tailnet policy file or configuration flow. Instead, tag all app connectors and then use the tags as a selector. Existing * configurations will need to update to a tag-based selector upon the next tailnet policy file change. For details, see Wildcard connectors no longer supported.Note: The 1.58.1 release needed to be re-done. Use 1.58.2 instead.
Note: Rollout of 1.58.0 paused on 21-Jan-2024 while we investigate reports of a regression with portmapping.
KeyExpirationNotice system policy is now supported to customize the time interval before a key expiration notice is displayed to the userKeyExpirationNotice system policy is now supported to customize the time interval before a key expiration notice is displayed to the usernetsh.exe uses the absolute path instead of the relative pathExact path type is usedtailscaled using a mounted config filetailscale serve and tailscale funnel that allowed low-privilege users to serve files they did not have access to (TS-2024-001). This release is intended for Windows 7 and 8 users. Those with later versions of Windows should run the latest stable version of Tailscale, which is 1.56.1. This issue was resolved in Tailscale 1.52.login.tailscale.comlogin.tailscale.comlogin.tailscale.comtailscale whois command shows the machine and user associated with a Tailscale IP addresstailscale switch --list command shows name and profile ID to disambiguate profiles with common login namestailscale update command is supported for Unraidcontainerboot symlinks its socket file if possible, making the Tailscale CLI work without --socket=/tmp/tailscale.sock/etc/resolv file formatting with Tailscaled-on-macOS is improvedService annotationproto field is now supported in ACL testsfd7a:115c:a1e0::/48. Previously IPv6 addresses were assigned from fd7a:115c:a1e0:ab12::/64."checkPeriod": "always" in your tailnet policy file from the Access controls page of the admin consoletailscale serve and tailscale funnel that allowed low-privilege users to serve files they did not have access to if the machine administrator had previously granted that user tailscale up --operator privilege (TS-2024-001)tailscale update command for the standalone macOS applicationtailscale update commandtailscale cert command renews in the background. The current certificate only displays if it has expired.tailscale status command displays a message about client updates when newer versions are availabletailscale up command displays a message about client updates when newer versions are availabletailscale set command flag --auto-update is added to opt in to automatic client updates (beta)tailscale serve and tailscale funnel commands are updated for improved usabilitytailscale update command for manual updates is now in betanftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is usedNetworkManager with configured but absent systemd-resolved, such as EndeavourOSresolvconf version 1.90 or latertailscale set command flag --auto-update is added to opt in to automatic client updates (beta)tailscale serve and tailscale funnel commands are updated for improved usabilitytailscale update command for manual updates is now in betaiphlpsvc, netprofm, and WinHttpAutoProxySvc service dependencies are checked during installationtailscale serve and tailscale funnel that allowed low-privilege users to serve files they did not have access to (TS-2024-001)tailscale set command flag --auto-update is added to opt in to automatic client updates (beta)tailscale serve and tailscale funnel commands are updated for improved usabilitytailscale update command for manual updates is now in betatailscale update command is unhidden on most platformstailscale ping command sends an ICMP Ping code of 0tailscale webcommand updated to use Reacttailscale debug portmap command now has the --log-http optiontailscale netcheck command works even if the OS platform lacks CA certificatesiptables and iproute2 packages as recommended, not requirednftables support interoperates with Uncomplicated Firewall (UFW)tailscale bugreport logs contain additional diagnostic information%20 in file names when sending files to Windows devices%20 in file names when sending files to Windows devicestailscale update (#8927)tailscale exit-node subcommand--upstream flag in the tailscale version commandtailscale funnel command provides an interactive web UI that prompts you to allow Tailscale to enable Tailscale Funnel on your behalftailscale serve command provides an interactive web UI that prompts you to allow Tailscale to enable HTTPS and Tailscale Funnel on your behalfNote: 1.48.0 introduced a regression in the interaction between Tailscale and Linux ufw. The Linux release has been withdrawn pending a fix.
nftablestailscale update command on Alpine, Arch and Fedora distro familiestailscale update commandtailscale update commandautogroup:member in addition to autogroup:members when referring to all users in a tailnetlogs:read OAuth scope can be used to grant API access to configuration audit logsnetwork-logs:read OAuth scope can be used to grant API access to network flow logstailscale serveNote: This is the last release to support the following operating systems:
• macOS 10.13 High Sierra
• macOS 10.14 Mojave
Tailscale releases after 1.44.0 will no longer install on these operating systems, though we expect to maintain forward compatibility and critical security updates for 1.44.0 with future releases until at least June 30, 2024.
To install Tailscale on a High Sierra or Mojave system, visit the Purchased Items in the App Store Account page. macOS High Sierra or Mojave systems will be offered Tailscale 1.44 when the download link is clicked. If Tailscale does not appear in the Purchased Items it must first be successfully installed using a recent macOS system. The Tailscale app will then be available for the High Sierra or Mojave system to install from Purchased Items.
tailscale serve http command to serve over HTTP (tailnet only)tailscale ssh command now supports remote port forwarding--tun-userspace-networking stability improvements for userspace subnet routersportlist package. Update to use synchronous Poll() if this breaks your package.WatchIPNBus now only requires read-only permissions to readtailscale cert renewal decision is now based on the lifetime of the certificate instead of hard-coded. This better supports 14 day certificate lifetimes.tailscale ssh support improvements for Security-Enhanced Linux (SELinux) systemstailscale ssh supports user names with up to 256 charactersbuild_dist.sh better supports operating systems and CPU architectures which Tailscale release builds do not includenone, consent, login, select_account) for the user authentication page. If your
tailnet was already using a custom OIDC provider, we updated your setup automatically to use
consent, which prior to today was the only supported value.Note: This is the last release to support the following operating systems:
• Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows Server 2008
• Microsoft Windows Server 2012
Tailscale releases after 1.42.0 will no longer install on these operating systems, though we expect to maintain forward compatibility and critical security updates for 1.42.0 with future releases until at least May 31, 2024.
Note: Do not install this version of the Tailscale client on macOS 10.13. Upgrade to version 1.44.0 instead.
tailscale serve reset command to clear out the current
serve configurationgetentNote: This release switches to a new application signing certificate, which is valid through 2025.
priorityClassNametailscale cert command no longer causes timeout failurestailscale up --force-reauth will now display a warning and 5 second countdown
if you are connected over SSH over Tailscale, unless --accept-risk=lose-ssh is also givencom.tailscale.ipn.CONNECT_VPN and com.tailscale.ipn.DISCONNECT_VPNnodeDeleted webhook event is now generated when a node is removed from the tailnet, including automatic removal of ephemeral nodesautogroup:billing-admin and autogroup:auditor added as autogroupsautogroup:admin, autogroup:it-admin, autogroup:network-admin, and autogroup:owner
added as autogroupstailscale servetailscale up --shields-up simultaneouslytailscale serve issue that did not use actual SrcAddr as X-Forwarded-Fortailscale lock tskey-wrap has been replaced by tailscale lock signtailscale lock sign now supports signing auth keys--tun=userspace-networking issue running in Azure App Servicessetgroups and does not
impact other platforms.tailscale configure command to configure resources that you want to include in your tailnettailscale lock sign to sign pre-approved auth keys for use with tailnet locktailscale debug derp command to help diagnose DERP-related difficultytailscale debug capture command to write packet capturing for debuggingtailscale debug portmap command replaces tailscaled debug -portmap. This is now available on platforms without a tailscaled binary (like the macOS App Store).tailscale serve command has been overhauledtailscale serve funnel has been made into its own command, tailscale funnelNote: v1.38.0 was never released.
userNeedsApproval and userApproved events are available as webhook eventswebhookUpdated and webhookDeleted events are now generated when a
webhook is updated or deleted. These events are
subscribed by default and cannot be disabled.stdout for scripting with get-authkey utility--json flag for the tailscale lock status and
tailscale lock log commands--json flag for the tailscale version commandtailscale update command to update clienttailscale debug daemon-logs to watch server logstailscale status --json now includes KeyExpiry time and Expired boolean on nodestailscale version now advertises when you're on the unstable (dev) track/etc/resolv.conf needs to be overwritten for lack of options, a
comment in the file now links to https://tailscale.com/s/resolvconf-overwritetailscaled as a non-root user works again,
as long as you only SSH to the same user that tailscaled is running asTS_KUBE_SECRET (#6704)https://login.tailscale.com) describes the action taking
place, such as adding a new device or authorizing SSH access. For some actions, like adding a
new node, a second redirection page will be used as a confirmation step.beta.tailscale.net nameserver if you are no longer using itnodeID included in all node-related webhook event payloadsbusybox ipTS_STATE_DIR in containerboottailscale serve (#6409)tailscale switch command to switch between accounts using fast user switchingtailscale login command to login with a specified accounttailscale set command to modify configuration settings without needing to repeat the otherstailscale lock command to manage tailnet lock for your tailnetQ-R-S-T-via-X (or Q-R-S-T-via-X.yak-bebop.ts.net), for systems that required dashes instead
of dotstailscale status health and tailscale up if there are nodes advertising routes but --accept-routes=falsetailscale login
and tailscale switchtailscale status health if something else overwrites
/etc/resolv.conftailscale login and
tailscale switch commandstailscale login and
tailscale switch commandswingoes for OLE support, use multithreaded apartmentC:\Users\(username)\Downloads directory (previously they were placed in the C:\Users\(username)\Desktop directory)run.sh with cmd/containerboottailscaled,
which can then be used to remotely execute code (CVE-2022-41924, TS-2022-004)Zone.Identifier alternate data stream for Taildrop filescom.apple.quarantine flag for Taildrop filesmy-server.yak-bebop.ts.net instead of
my-server.example.com. This is a display-only change and doesn't modify the name of any
machines.my-server or dashboard.ts.net instead of .beta.tailscale.net for the tailnet name
.beta.tailscale.net. If so, migrate to the new tailnet name. The existing beta.tailscale.net name remains supported until at least November 1, 2023.nodeAttrstailscaled --no-logs-no-support (or TS_NO_LOGS_NO_SUPPORT=true environment variable)tailscale bugreport --record flag to pause and write another bug reporttailscale netcheck looks for a captive portaltailscaledderp1-all.tailscale.com, available for firewall allowlists or other compliance requirementstskey-auth-012345abcdef instead of tskey-012345abcdeftailscale licenses with link to open source licensestailscaled exists and was using mem: state storageClose()/dev/net permissions in tailscale configure-hosttailscale logout to remove an ephemeral node from your tailnet immediatelyOneCGNATRoute setting which controls the routes that Tailscale clients will generatederper binary.
If you use the default Let's Encrypt mode, no action is requiredExitNodeStatus to tailscale status --jsontailscale ping -c N to properly exit after N ping requests even if there are timeoutsSERVFAIL if all upstream resolvers failssdp:allping (hostname)
now works correctlyAllowSameVersionUpgrades attribute on MajorUpgrade tag in Windows MSI scripttailscaled being able to restart while mosh-server is running from an SSH sessiontailscale up --operator="" clear a previously set operatorssh.exe over PATH*.ts.net DNS name--peerapi <peer> flag in tailscale ping to check connectivity to a peer using the PeerAPI--timeout <duration> flag in tailscale up to enforce a maximum amount of time to wait for the Tailscale service to initializeLoginInteractive via LocalAPIWake-on-LAN function to PeerAPI. There is no UI for it currently./run.sh as an entrypoint for Docker container buildstailscale.com/client/tailscale package with LocalClient typeTS_NOLAUNCH property to allow admins to deploy silent MSI installs without automatically starting the GUIautogroup:members as a tag owner, to enable device tagging by any
user who is a direct member (not a shared user) of the tailnetfile get --loopfile get --conflict=(skip|overwrite|rename)group as an option for the src field, and
as the host portion of the accept and deny fields.accept/deny in
addition to allow/deny when specifying destinations that the ACL rules should accept or deny.autogroup:members to write rules to allow access for users who are direct members (not shared users) of the tailnetuserspace-networking mode, always close SOCKS proxied connectionstailscaled --state=mem: registers as an ephemeral node and does not store state to disktailscale status --json now shows Tags and PrimaryRoutes for Peers. PrimaryRoutes shows whether a HA
subnet router is currently the active one.tailscale status --json | jq .TailnetName will show the name of the tailnettailscaled debug server's Prometheus metrics exporter now also includes Go runtime metricstailscaled supports a new TS_PERMIT_CERT_UID environment variable containing either a userid or username to
allow to fetch Tailscale TLS certificates for the node. This environment variable can be set in
/etc/default/tailscaled to permit non-root web servers on the local machine to fetch certs from tailscaled.--auth-key and --authkey both work as tailscale up arguments/proc/net/route filestailscale --operator=USER to use with Taildroptailscale statusfailed to look up user from userid error/var/packages/Tailscale/target/bin/tailscale configure-host to restore needed
permissions. We recommend adding this as a scheduled task at boot.src/dst in
addition to users/ports when referring to sources and destinationsautogroup:self for all tagged nodesautogroup:self ruleautogroup:self for users with mixed case accounts (#3954)/proc/net/route files for
very large routers/etc/resolv.conf handlingOnly the Synology client released v1.20.3. All other platforms remain with v1.20.2.
tailscaled now allows running the outgoing SOCKS5 and HTTP proxies on the same port.userspace-networking modetailscale ip -1 flagOnline boolean to tailscale status --json, made tailscale status show offline nodestailscale up --jsondisableIPv4: true in ACLtailscale file cp sends via the local tailscaled now, so it now supports tailscaled running in tun-free, userspace-networking mode (such as on Synology DSM7 unless you enable TUN mode)proto specified and allows * port rangeautogroup:self to write access rules to allow access to devices authenticated as the same user as the source IP addressip command to program routes and policy routingtailscaled debug server now exports Prometheus metrics at /debug/metricstailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo) (thank you Maxime Visonneau)/etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not resolvconf/etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not NetworkManager/etc/resolv.conf being a bind mount into a container, such that we cannot rename() it.ip command. Set TS_DEBUG_USE_IP_COMMAND environment variable to revert to use of /sbin/ip if this breaks your devicetailscale up --authkey=file:/path/to/secret supporttailscale up --qr for QR codeswhile tailscale up; do sleep 0.1; done loops in Docker startup scripts.tailscale debug--qr as part of tailscale up to generate a QR code for the login URL--tun=userspace-networking to dial the HTTPS domain name of the Tailnettailscale up will wait for the socket to tailscaled to be created, not exit with an error. It should no longer be necessary to run it in a loop.Note: v1.14.1 and v1.14.2 were never released.