Tailscale v1.78.3
Update instructionsNote: Tailscale v1.78.2 was an internal-only release.
Containers
- Unit test that would previously fail if run in a container.
iOS
- Advanced DNS Settings view unexpectedly dismissed on iPhone.
Android
- Work in progress search bar is hidden behind a flag until the feature is ready.
Tailscale Docker image v1.78.3
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
- A nil pointer exception when serve config is provided via the
TS_SERVE_CONFIG
environment variable.
Tailscale Kubernetes operator v1.78.3
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
Note: This version contains no changes except for library updates.
Mullvad exit nodes with trial tailnets
- The Mullvad exit nodes add-on can be purchased for tailnets that are in trial mode.
Note: Purchasing the Mullvad exit nodes add-on for your trial tailnet will result in changes requiring action. For more information, see the Pricing & Plans FAQ topic.
Tailscale tsrecorder v1.78.3
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
Note: This version contains no changes except for library updates.
Device posture integrations GA
- Device posture integrations GA (generally available)
- Restrict device access with Tailscale device posture management and additional GA integrations: Jamf Pro, Kandji, Microsoft Intune, and SentinelOne.
Tailscale Docker image v1.78.1
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
- All Tailscale container images are annotated with Open Container Initiative (OCI) annotations.
- Clients should more accurately detect whether they are in a container when checking for updates.
Tailscale Kubernetes operator v1.78.1
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
-
Tailscale client metrics can be enabled using a
ProxyClass
with the.spec.metrics.enable
field set. -
All Tailscale container images are annotated with Open Container Initiative (OCI) annotations.
-
ProxyClass
supports configuring topology spread constraints for the Proxy Pods. -
Connector Custom Resource Definition (CRD) can be used to configure the Kubernetes Operator to deploy a Tailscale app connector on Kubernetes.
-
Tailscale running on Kubernetes and using a Kubernetes Secret as a state store writes Kubernetes Events to its Pod when changes occur to the state stored in the Kubernetes Secret. The same is true when there are errors related to reading or writing the state. This should help debugging issues related to transient errors when talking to the Kubernetes API server to retrieve or update the state Secret.
-
Kubernetes Operator can optionally create a Prometheus ServiceMonitor for proxy resources that have Tailscale client metrics enabled.
-
Container Storage Interface (CSI) driver volume for the operator's OAuth client credentials can be configured by using Helm values.
-
Kubernetes Ingress has clearer warnings if it has been deployed to a tailnet that has no HTTPS enabled. Specifically, a new warning in proxy logs and empty hostname on the Ingress status.
-
tailscale.com/tailnet-ip
annotation is validated that it holds a valid IP address. -
Timeout for Kubernetes API server calls for reading/updating
tailscaled
state stored in a Kubernetes Secret has been changed from 5 seconds to the total of 30 seconds for the read/update operation and an operation to emit an Event about the state update. This should reduce errors related to slow API server connections. -
The
ProxyClass
field.spec.metrics.enable
enables metrics at both/metrics
and/debug/metrics
, but/debug/metrics
is deprecated. Users relying on/debug/metrics
need to set.spec.statefulSet.pod.tailscaleContainer.debug.enable
(which is a new field in Tailscale 1.78.1) until Tailscale 1.82.0 releases. When 1.82.0 releases,/metrics
and/debug/metrics
will both independently default to false. -
Kubernetes operator proxy containers created for ingress and egress Service resources, Connectors and ProxyGroups are privileged. This is needed because of recent changes in
containerd
. For more context, see tailscale/tailscale/pull/14262. -
Tailscale running on Kubernetes reads its state from a Secret only once, and that is upon initial start. This should reduce bugs caused by transient issues when connecting to the Kubernetes API server as well as reduce the load on the API server and improve latency for state operations.
-
Kubernetes Egress Service ports for
ProxyGroup
can be changed from a single unnamed port to one or more named ports. -
Clients should more accurately detect whether they are in a container when checking for updates.
Tailscale tsrecorder v1.78.1
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
- All Tailscale container images are annotated with Open Container Initiative (OCI) annotations.
- Clients should more accurately detect whether they are in a container when checking for updates.
Tailscale v1.78.1
Update instructionsAll platforms
- Issue which resulted in an unwanted change in source code line endings.
Tailscale v1.78.0
Update instructionsAll platforms
- Client metrics have been added, to provide insights into Tailscale client behavior, health, and performance.
tailscale metrics
command has been added, to expose and collect client metrics for use with third-party monitoring systems.tailscale syspolicy
command has been added, to list system policies, reload system policies, or view errors related to the system policies configured on the device.- Tailscale system policies are applied immediately when pushed via mobile device management (MDM) or Group Policy, without requiring a client restart.
- Tailscale SSH session recording detects the disappearance of the recorder node sooner. This fix addresses a security vulnerability described in TS-2024-013.
Windows
- UI customization system policies are configurable for both devices and users.
macOS
- UI to configure custom DNS servers to use for Tailscale-bound traffic when Tailscale DNS is disabled in settings.
- The macOS configuration report diagnostic tool can collect a larger amount of diagnostics when requested by Tailscale support. This includes system and process logs on the Standalone variant.
- Update Available notifications include a link to the client changelog.
- On macOS Sequoia, in System Settings.app > Login Items & Extension, Tailscale is listed as Tailscale Network Extension instead of IPNExtension, to reduce user confusion.
- Performance optimizations reduce CPU and memory usage when parsing network maps, especially for users on larger and busy tailnets.
- Performance optimizations at the UI layer reduce flickering of the menus, especially for users on larger and busy tailnets where the contents of the network map change very frequently.
- Error messages displayed when failing to toggle a setting are improved and easier to understand.
iOS
- UI to configure custom DNS servers to use for Tailscale-bound traffic when Tailscale DNS is disabled in settings.
- On iPhones and iPads running iOS 18, the VPN can be toggled from Control Center. Hold down in an empty space to add the Tailscale Control.
tvOS
- UI to configure custom DNS servers to use for Tailscale-bound traffic when Tailscale DNS is disabled in settings.
Android
- Authentication by using a generated code is available for Android TV users.
- Search bar shows suggestions.
- The default avatar displays if the user has no profile picture.
- False positive health warnings in the UI are reduced.
- Health warnings are no longer displayed in the UI after stopping Tailscale.
- Crashes when sharing a file using Taildrop from another Android app are reduced.
- UI padding of the main app toolbar is improved.
Country device posture attribute
ip:country
has been added as a device posture attribute (beta).
New and more granular OAuth scopes
- New scopes for OAuth clients have been added with more granular permissions. Existing OAuth clients using the previous set of scopes, and keys generated using these clients, are still valid.
Tailscale Docker image v1.76.6
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
- Logging for when clients move home DERP regions is improved.
- Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.
Tailscale Kubernetes operator v1.76.6
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
- Logging for when clients move home DERP regions is improved.
- Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.
Log streaming integration with S3 buckets
Read more- Tailscale network flow logs and configuration audit logs can now be streamed to Amazon S3 and S3-compatible services (beta).
Tailscale tsrecorder v1.76.6
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
- Logging for when clients move home DERP regions is improved.
- Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.
Tailscale v1.76.6
Update instructionsNote: v1.76.4 and v1.76.5 were internal-only releases.
All platforms
- Logging for when clients move home DERP regions is improved.
- Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.
Android
- Android app no longer terminates unexpectedly when performing network transitions.
User approval and Invite any user GA
1Password XAM device posture integration GA
Read more- 1Password Extended Access Management (XAM) GA (generally available)
- Restrict device access with 1Password XAM (formerly known as Kolide) and Tailscale device posture management.
Tailscale v1.76.3
Update instructionsNote: v1.76.3 includes fixes for Windows devices only, and is exclusively released for Windows.
Windows
- Mullvad VPN submenu no longer fails to populate with Mullvad exit nodes if there aren't any non-Mullvad exit nodes in the tailnet.
Tailscale v1.76.2
Update instructionsNote: v1.76.2 includes fixes for Android TV devices only, and is exclusively released for Android.
Android
- D-Pad navigation is optimized in the Tailscale app on Android TV devices.
Tailscale v1.76.1
Update instructionsAll platforms
tailscale netcheck
CLI command no longer crashes when performing diagnostics on networks lacking UDP connectivity.- Improperly formatted
SERVFAIL
responses no longer cause DNS timeouts when using an exit node.
Linux
- dbus login sessions no longer fail on systems where
/bin/login
is missing.
Android
- Android application no longer crashes in certain configurations when editing the app-based split tunneling settings.
Tailscale Docker image v1.76.1
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
Note: This version contains no changes except for library updates.
Google Workspace integration GA
Read more- User & group provisioning for Google Workspace GA (generally available)
- Sync Google Workspace groups and users to use in your Tailscale ACLs.
Tailscale Kubernetes operator v1.76.1
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
- Tailnet services can be exposed to cluster workloads on multiple proxy replicas using a ProxyGroup. It's also possible to expose multiple tailnet services on a single set of ProxyGroup replicas.
- Single use proxy auth keys no longer persist in the state Secrets after the proxies have logged in. This should fix an issue where, in some edge cases, the leftover keys were causing the proxies to attempt to re-authenticate after Pod restart.
Tailscale tsrecorder v1.76.1
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
- State directory can be set with the
TS_STATE_DIR
environment variable. The state directory also defaults to/tmp/
for all tsrecorder installations that explicitly set the statefile location.
Tailscale v1.76.0
Update instructionsAll platforms
- Clients lacking UDP connectivity no longer skip performing fallback latency measurements with DERP servers.
- Warnings no longer display unnecessarily.
- Tailscale connectivity on flights using Inflight Internet Wi-Fi (such as Alaska Airlines) no longer fails.
- Service-related processes no longer run unnecessarily when services are disabled on the tailnet.
- Error messages include explanations in addition to the HTTP status code.
Linux
- Tailscale SSH supports sending environment variables to hosts. It's also possible to specify permitted environment variables using the
acceptEnv
field. - Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when resizing the application window.
Windows
- Ping messages sent through subnet routers to unreachable hosts no longer generate ping responses.
macOS
- Tailscale SSH supports sending environment variables to hosts. You must specify permitted environment variables using the
acceptEnv
field. - Tailscale
.pkg
installer for the standalone variant prevents potential conflicts by showing a warning if it detects a Homebrew install of Tailscale. - Bug report view shows a warning if Tailscale detects that Cloudflare WARP is installed. Some Cloudflare WARP configurations conflict with Tailscale.
- DNS settings no longer improperly set when keys expire or Tailscale stops.
iOS
- Battery usage is improved when MagicDNS is enabled. The improvement comes from adjusting the timeout of DNS over HTTPS (DoH) for idle connections and requiring a TLS 1.3 handshake when establishing a connection with the DoH server.
- DNS settings no longer improperly set when keys expire or Tailscale stops.
tvOS
- DNS settings no longer improperly set when keys expire or Tailscale stops.
Android
- Account switcher displays the server hostname if the account uses a custom coordination server.
- Battery usage is improved when MagicDNS is enabled. The improvement comes from adjusting the timeout of DNS over HTTPS (DoH) for idle connections and requiring a TLS 1.3 handshake when establishing a connection with the DoH server.
- Quick tile toggle no longer fails to turn on Tailscale if Tailscale had been manually disconnected before it was last shut down.
Personal Plus pricing plan
- The Personal Plus pricing plan offers the same features as the Personal plan with up to 6 users for a flat rate. For details about billing, plan comparison, and support, see Pricing & Plans FAQ.
Tailscale v1.74.2
Update instructionsTailscale v1.74.2 addresses an issue for iOS, and is exclusively released for that platform.
iOS
- The Tailscale app launches as expected when Wi-Fi Calling on This iPhone is enabled in the iOS Cellular settings.
Tailnet deletion
- Tailnets containing multiple users can be deleted from the admin console without first deleting the users manually.
Parameters added to Set custom device posture attributes endpoint
- The optional
expiry
andcomment
parameters have been added to the Set custom device posture attributes endpoint of the device posture attribute API.
Tailscale v1.74.1
Update instructionsTailscale v1.74.1 addresses issues for Linux and Android, and is exclusively released for those platforms.
Linux
- Linux-only NAT traversal optimization added in v1.74.0 is now disabled following a bug report. The behavior is reverted to that of v1.72.x and earlier and will be re-added in a future release.
Android
Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.
- Device network change detection is improved to reflect accurate Tailscale DNS configuration updates.
- System policies for the Android client on ChromeOS work as expected.
Tailscale Docker image v1.74.1
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
Note: This version contains no changes except for library updates.
Tailscale Kubernetes operator v1.74.1
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
- Recorder CRD (custom resource) is added for deploying the Tailscale
tsrecorder
to Kubernetes. - Default
ProxyClass
can now be specified for the Kubernetes Operator proxies. If you are using Helm, the defaultProxyClass
can be configured in theproxyConfig.defaultProxyClass
Helm value or set usingPROXY_DEFAULT_CLASS
environment variable. - Wildcards in RBAC role definitions are replaced with exact verbs.
Tailscale tsrecorder v1.74.1
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
Note: This version contains no changes except for library updates.
Tailscale Terraform Provider v0.17.0
v0.17.0 of the Tailscale Terraform Provider has been released with the following changes:
Resources
- Manage webhooks with
tailscale_webhook
. - Manage contact preferences with
tailscale_contacts
. - Manage device posture integrations with
tailscale_posture_integration
. - Manage log streaming with
tailscale_logstream_configuration
. - Manage Tailnet settings with
tailscale_tailnet_settings
. - Changing the domain attribute for
tailcale_dns_split_nameservers
now properly removes the previous domain value.
Data Sources
- Fetch information for multiple users with
tailcale_users
. - Fetch information for a specific user with
tailscale_user
.
Tailscale v1.74.0
Update instructionsAll platforms
AuthKey
system policy can be used to authenticate a device with Tailscale using an MDM solution.tailscale dns
CLI command is added for accessing Tailscale DNS settings and status.- Go is updated to version 1.23.1.
- Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth.
- Log In option in the client works as expected.
Linux
- TCP generic receive offload (GRO) support is added for improved userspace mode throughput.
- TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1.
Windows
- The client no longer connects to a tailnet automatically when restarting or switching profiles.
- Profiles created as Local System with Unattended Mode enabled are retained after a reboot.
macOS
- The open-source variant of the Tailscale client can now read the system DNS configuration to provide DNS resolution when
tailscale set -—accept-dns
ortailscale up -—accept-dns
is enabled and the Override local DNS option in the DNS page of the admin console is disabled. - DNS resolution continues to work after a key expires.
tvOS
- The ping feature allows you to observe connectivity performance between your Apple TV and other devices in your tailnet.
Android
Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.
- Tailscale DNS works as expected when switching between Wi-Fi and cellular networks.
- System policies for the Android client on ChromeOS work as expected.
MAC addresses matching in CrowdStrike Falcon
- Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses.
Tailscale v1.72.2
Update instructionsTailscale v1.72.2 addresses issues for macOS, iOS, and tvOS, and is exclusively released for those platforms.
macOS
- An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.
- An issue that could prevent Tailscale from automatically launching at login on some Macs is fixed.
iOS
- An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.
tvOS
- An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.
Configurable session timeouts
- Admin console session timeouts from inactivity are now configurable from the User Management Settings page of the admin console.
Tailscale v1.72.1
Update instructionsTailscale v1.72.1 addresses a Linux-specific issue, and is exclusively released for the Linux platform and containers.
Linux
- TCP generic segmentation offload (GSO) support for userspace mode is removed.
- DNS over TCP failures when querying the Tailscale-internal resolver are fixed.
Tailscale Docker image v1.72.1
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
- DNS over TCP failures when querying the Tailscale-internal resolver are fixed.
Tailscale Kubernetes operator v1.72.1
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
- DNS over TCP failures when querying the Tailscale-internal resolver are fixed.
Tailscale tsrecorder v1.72.1
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
- DNS over TCP failures when querying the Tailscale-internal resolver are fixed.
Tailscale Docker image v1.72.0
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
- An HTTP health check endpoint at
/healthz
can be enabled by settingTS_HEALTHCHECK_ADDR_PORT
to[addr]:port
.
Tailscale Kubernetes operator v1.72.0
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.
- Additional environment variables can now be passed for the Kubernetes Operator deployment via Helm chart options.
DNSConfig CRD
reconcile logic is fixed for dual-stack clusters.
Tailscale tsrecorder v1.72.0
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
- Running without HTTPS is now allowed when UI is disabled.
Tailscale v1.72.0
Update instructionsAll platforms
- Captive portal detection is now supported.
- The
tailscale cert
command now contains the--min-validity
flag. Use this flag to request a specified minimum remaining validity on the returned certificate. This flag is intended for automation, like cron jobs, that periodically refreshes certificates. - The
tailscale lock
command now supports passing keys as files. To pass a key as a file, use the prefixfile:
followed by the path to the file:file:<path-to-key-file>
. - A health warning is now raised if Tailscale is unable to forward DNS queries to the configured resolvers.
- An increase in send and receive buffer sizes for userspace mode TCP improves throughput over high latency paths.
Linux
- The addition of TCP generic segmentation offload (GSO) support to userspace mode improves throughput.
macOS
Note: macOS 10.15 Catalina is no longer supported. See the v1.60.0 changelog for our initial end of life announcement.
- Notifications are sent when a captive portal is detected.
- Health warnings in the UI are now sorted by their severity level.
- Reliability of the authentication process when launching the web browser is improved.
- The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.
iOS
- Notifications are sent when a captive portal is detected.
- Health warnings are displayed when connectivity is impacted.
- An error message is displayed while attempting to start the VPN when both Wi-Fi and cellular interfaces are down, instead of failing silently.
- The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.
tvOS
- Notifications are sent when a captive portal is detected.
- The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.
Android
- Health warnings, if any are present, are displayed in the main view of the app.
Via in Access Control Previews
- Access control policies using
via
are included in the Preview rules tab of the Access Controls page of the admin console.
Microsoft Entra ID SCIM GA
Read more- User & group provisioning for Microsoft Entra ID GA (generally available)
- Sync Microsoft Entra ID groups and users to use in your Tailscale ACLs.
Autogroups allowed as SSH source in ACLs
- SSH
src
in ACL rules supports all role-based autogroups.
New device posture integrations
- 1Password XAM is available as a device posture integration (beta)
- Jamf Pro is available as a device posture integration (beta)
- Kandji is available as a device posture integration (beta)
- Microsoft Intune is available as a device posture integration (beta)
- SentinelOne is available as a device posture integration (beta)
Control D integration
- Control D DNS is available as a global nameserver in your tailnet.
New API endpoints
We have added the following endpoints to Tailscale's public API:
Device endpoints
Webhook management endpoints
Tailnet settings endpoints
Tailscale Docker image v1.70.0
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
- Egress proxies specified by an FQDN now work also for IPv6-only network stacks.
Tailscale Kubernetes operator v1.70.0
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.
- Egress proxies specified by an FQDN now work also for IPv6-only network stacks.
- Tailscale
Service
status now includes a custom Tailscale proxy status condition. - Optionally record
kubectl exec
sessions. - Cluster resources for failed egress proxies are now correctly cleaned up when the parent
Service
is deleted.
Tailscale tsrecorder v1.70.0
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
tsrecorder
now plays session recordings for interactive sessions initiated by a command that explicitly specifies shell.
Tailscale v1.70.0
Update instructionsAll platforms
- Restrict recommended and automatically selected exit nodes using the new
AllowedSuggestedExitNodes
system policy. Applies only to platforms that support system policies. - Improved NAT traversal for some uncommon scenarios.
- Optimized sending firewall rules to clients more efficiently.
- Exit node suggestion CLI command now prints the hostname (which you can use with the
tailscale set
command). - Taildrive share paths configured through the CLI resolve relative to where you run the
tailscale
command.
Linux
- Switching from unstable to stable tracks using the
tailscale update
command now works correctly.
Windows
- Use the value
auto:any
to automatically select an exit node for the existingExitNodeID
system policy. Available for Enterprise plan users only. - The new
AllowedSuggestedExitNodes
system policy restricts which exit nodes Tailscale recommends or automatically selects. - DNS leak issue.
- Switching from unstable to stable tracks using the
tailscale update
command now works correctly. - Taildrive server no longer starts unnecessarily when no drives are configured.
macOS
Note: As previously announced, Tailscale v1.70 is the last version to support macOS 10.15 Catalina. macOS 10.15 is no longer supported by Apple and no longer receives security updates. Users still running macOS 10.15 should update to a newer version of macOS to continue receiving security updates and new features.
- Toggle Tailscale DNS from Siri or the Shortcuts app.
- Receive health notifications in the client menu on macOS to inform you about lack of internet connectivity, firewalls blocking Tailscale, misconfiguration issues, and other issues. Health issues that affect connectivity also change the Tailscale icon in the system menubar to show an exclamation mark.
- On MacBooks with a notch in the display, a notification window will now appear if the Tailscale icon is hidden behind the notch due to too many menubar items.
- The Tailscale client now warns you when the built-in macOS content filter (Screen Time) prevents Tailscale from connecting.
- Use the value
auto:any
to automatically select an exit node for the existingExitNodeID
system policy. Available for Enterprise plan users only. - The exit node picker no longer presents exit node suggestions if the organization enforces always using the suggested exit node using the
ExitNodeID
system policy. - Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
- Taildrive server no longer starts unnecessarily when no drives are configured.
- Increased the reliability of the Install Updates Automatically setting.
iOS
- Toggle Tailscale DNS from Siri or the Shortcuts app.
- Use the value
auto:any
to automatically select an exit node for the existingExitNodeID
system policy. Available for Enterprise plan users only. wireguard-go
memory pool deadlock issue is resolved.- Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
- User interface no longer flickers when selecting an exit node.
tvOS
- Use the value
auto:any
to automatically select an exit node for the existingExitNodeID
system policy. Available for Enterprise plan users only. wireguard-go
memory pool deadlock issue is resolved.- User interface no longer flickers when selecting an exit node.
Android
- Access ping information and connection status by long-pressing on a device in the devices list and selecting Ping.
- Use split tunneling to force or exclude app traffic through your tailnet.
wireguard-go
memory pool deadlock issue is resolved.
Indent has shut down
- Indent shut down their service effective July 15, 2024. If you were using Indent with your Tailscale network, migrate to another on-demand access system or Tailscale's just-in-time accessbot (alpha), or otherwise turn off your Indent integration with Tailscale.
Plan enrollment changes for new tailnets
- The process for creating a new tailnet now asks you if the tailnet will be primarily used At work or At home. This determines whether to enroll the tailnet into a 14-day trial or the Personal plan. For more details, see the Tailscale quickstart topic.
- Newly created tailnets using custom domains are no longer automatically enrolled in a trial. Instead, the At work or At home selection determines trial enrollment.
New API endpoints, OpenAPI spec, and interactive API docs
- Access an OpenAPI spec for the Tailscale API. The spec is used to generate our new interactive documentation. Note that the spec definition may change without notice, so should not be relied upon for stability.
- Access interactive documentation for the Tailscale API.
New API endpoints
We have added the following endpoints to Tailscale's public API:
Logging endpoints
- Get log streaming status.
- Get log streaming configuration.
- Set log streaming configuration.
- Disable log streaming.
- Created a new endpoint for listing configuration audit logs. An earlier version of this endpoint is still supported for backwards compatibility.
- Created a new endpoint for listing network flow logs. An earlier version of this endpoint is still supported for backwards compatibility.
Webhook management endpoints
- List all webhooks for a tailnet.
- Create a new webhook.
- Update a webhook.
- Delete a webhook.
- Test a webhook.
- Rotate a webhook secret.
Device posture endpoints
- List all posture integrations.
- Create a posture integration.
- Update a posture integration.
- Delete a posture integration.
User management endpoints
- List all users in the tailnet.
- Get details about a specific user.
- Update the role for a specific user.
- Approve a pending user's access to the tailnet. This is only applicable to tailnets that have enabled user approval.
- Suspend a user. Available for the Personal and Enterprise plans.
- Restore a suspended user. Available for the Personal and Enterprise plans.
- Delete a user. Available for the Personal and Enterprise plans.
User invite endpoints
- List all open (not yet accepted) user invites to the tailnet.
- Create user invite links and send user invite emails.
- Get details for a specific user invite.
- Delete an open (not yet accepted) user invite.
- Resend an open (not yet accepted) user invite that was originally sent via email.
Device invite endpoints
- List all open (not yet accepted) device invites.
- Create device invite links and send device invite emails.
- Get details for a specific device invite.
- Delete an open (not yet accepted) device invite.
- Resend an open (not yet accepted) device invite.
- Accept a device invite to your tailnet.
Contact preferences endpoints
Automatically cleanup invites
- Invite team member invites are now automatically deleted 90 days after the last welcome email was sent.
IP sets GA
Read more- IP sets GA (generally available)
- Use IP sets to target and manage cross-sections of your tailnet independently of other groupings like subnets, tags, and groups.
Tailscale v1.68.2
Update instructionsAll Platforms
- Tailnet lock validation of rotation signatures now permits multiple nodes signed by the same pre-signed reusable auth key.
macOS
- Wake from sleep reliability is improved for re-connections and transitions between networks.
iOS
- Wake from sleep reliability is improved for re-connections and transitions between networks.
Sync Google Workspace groups to use in your Tailscale ACLs
Indent shutting down July 15, 2024
- Indent has announced they are shutting down 12:00 PM PST July 15, 2024. If you are using Indent with your Tailscale network, migrate to another on-demand access system or Tailscale's just-in-time accessbot (alpha), or otherwise turn off your Indent integration by that time.
Tailscale Docker image v1.68.1
A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.
- UDP GRO forwarding can be turned on for containers configured as Tailscale subnet routers or exit nodes, using the new environment variable
TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS
. To learn more, see Performance best practices. - Containers that run on Kubernetes and store the
tailscaled
state in a KubernetesSecret
can now be enforced to read the Kubernetes API server address and port from the environment variablesKUBERNETES_SERVICE_HOST
andKUBERNETES_SERVICE_PORT_HTTPS
. By default, the values are read from the KubernetesService
in the default namespace. To enforce the environment variables, setTS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV
totrue
.
Tailscale Kubernetes operator v1.68.1
A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.
- Tailscale Kubernetes operator proxies can now be configured to accept routes advertised by tailnet peers using the new
proxyClass.spec.tailscale.acceptRoutes
field. To learn more, see our ProxyClass documentation. - Images and image pull policies can be configured for individual Tailscale Kubernetes operator proxies using ProxyClass.
- Connector Custom Resources status now includes the proxy's tailnet IP addresses and MagicDNS name.
- Helm values file now allows configuring image repositories using a repository key, which is a standard and expected by some tools.
Tailscale tsrecorder v1.68.1
A new release of the Tailscale tsrecorder
is available. You can download it from Docker Hub.
--state
flag or theTS_STATE
environment variable can be used to specify a KubernetesSecret
astailscaled
state store when deploying thetsrecorder
container.--dst
flag for destination can be set as the environment variableTSRECORDER_DST
when deploying thetsrecorder
container.--bucket
flag for the S3 bucket name can be set as the environment variableTSRECORDER_BUCKET
when deploying thetsrecorder
container.--hostname
flag for the hostname can be set as the environment variableTSRECORDER_HOSTNAME
when deploying thetsrecorder
container.--ui
flag for the user interface can be set as the environment variableTSRECORDER_UI
when deploying thetsrecorder
container.- AWS ambient credentials can be used to access the S3 backend.
Tailscale v1.68.1
Update instructionsAll Platforms
- 4via6 subnet router advertisement works as expected.
Linux
- Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected.
Android
- Android TV navigation is improved.
Tailscale v1.68.0
Update instructionsAll Platforms
- Auto-updates are available for containers. The tailnet-wide default is ignored in containers.
- When enabled, auto-updates get applied even if the node is down or disconnected from the coordination server.
tailscale lock status
now prints the node's signature.- Go is updated to version 1.22.4.
Windows
.exe
installer no longer downloads MSI packages for Windows 7 and Windows 8, automatically. See the v1.42.0 changelog for our initial end of life announcement.
macOS
- Standalone variant of the client can now install a launcher for the Tailscale CLI in
/usr/local/bin
by going to Settings, CLI integration, then Show me how. - Standalone variant of the client now supports notifications when a file is received using Taildrop.
- Pop-up notification displays when a network might be vulnerable to a potential TunnelVision attack. For more information, see TunnelVision vulnerability and Tailscale.
- Client starts up more reliably if another VPN app is running when Tailscale is enabled.
.pkg
installer terminates pre-existing copies of Tailscale and the VPN extension before proceeding with installation if Tailscale was already installed.- TunnelBear installation is properly detected, and warns the user about incompatibility.
Using Exit Node
label no longer appears incorrectly in the app menu before completing onboarding, upon the first time app launch.- Fixed a bug with split DNS domains being used as search domains after a network change.
iOS
- Battery life is optimized by offloading DNS resolution to iOS in more cases.
- Client now starts more reliably if another VPN app is running when Tailscale is enabled.
- Bug report view no longer copies the bug report ID to the clipboard automatically.
- Reauthenticate button for in-app key expiry notifications works as expected.
- Dark mode contains minor changes to UI colors.
- Fixed a bug with split DNS domains being used as search domains after a network change.
tvOS
- Client now starts more reliably if another VPN app is running when Tailscale is enabled.
- Reauthenticate button for in-app key expiry notifications works as expected.
Android
- On-off toggle state better matches the actual client state.
- Status notifications when Tailscale is disconnected are now background notifications, and tapping on notifications launches the Tailscale app.
- Client starts automatically after the first login.
- System policy (MDM) support is added for mandatory exit nodes.
- Organization name is now rendered properly when set in the
ManagedByOrganizationName
system policy. - Crashing no longer occurs when launching Tailscale and another VPN application was already running.
- Running an exit node no longer lets you use another device as an exit node and vice versa.
- Home screen shows the selected exit node country and city when using Mullvad exit nodes.
Note: The Tailscale client releases for containers such as the Kubernetes operator, Docker image, and tsrecorder are typically released a few days after the initial client release. A separate changelog will be published when client updates for containers are available.
Auto exit nodes
Read more- You can now automatically select a recommended exit node based on client information (such as location).
Exit node destination logging
Read more- Exit node destination logging can now be configured from the Network flow logs tab in the Logs page of the admin console.
Tailscale v1.66.4
Update instructionsAll platforms
- Restored UDP connectivity through Mullvad exit nodes.
Linux
- Stateful filtering is now off by default. Stateful filtering was introduced in 1.66.0 as a mitigation for a vulnerability described in TS-2024-005, and inadvertently broke DNS resolution from containers running on the host. Most vulnerable setups are protected by other mitigations already, except when
autogroup:danger-all
is used in ACLs.
Tailscale v1.66.3
Update instructionsNote: Tailscale v1.66.2 was an internal-only release.
All platforms
- Login URLs did not always appear in the console when running
tailscale up
.
Android
- Reintroduced the Quick Settings title that v1.66.0 temporarily removed.
- Improved the VPN service connection logic, especially when rebooting the device with Always-On VPN enabled.
- The persistent VPN status notification now informs the user with a muted icon when the VPN is disconnected. VPN status notifications can be disabled in the system notification settings.
- The "Enable" button in the exit node selector banner now renders with the correct background color.
Kubernetes operator
- Starting with v1.66, the Kubernetes operator must always run the same or later version as the proxies it manages.
- Expose cloud services on cluster network to the tailnet, using Kubernetes
ExternalName
Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names. - Expose tailnet services that use Tailscale HTTPS to cluster workloads. Refer to #11019.
- Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names. Refer to #11019.
- Configure environment variables for Tailscale Kubernetes operator proxies using
ProxyClass
CRD. Refer toProxyClass
API. - Expose
tailscaled
metrics endpoint for Tailscale Kubernetes operator proxies throughProxyClass
CRD. Note that thetailscaled
metrics are unstable and will likely change in the future. Refer toProxyClass
API. - Configure labels for the Kubernetes operator Pods with Helm chart values. Refer to Helm chart values.
- Configure affinity rules for Kubernetes operator proxy Pods with
ProxyClass
. Refer toProxyClass
API. - Kubernetes operator proxy
init
container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #11867.
Containers
- Tailscale containers running on Kubernetes no longer error if an empty Kubernetes
Secret
is pre-created for thetailscaled
state. Refer to #11326. - Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right permissions to perform actions against the
tailscaled
stateSecret
. Refer to #11326.
Dark mode in the admin console
- Use the Light, Dark, or Use system setting theme in the admin console by clicking the avatar menu on the top-right and selecting Appearance. The default theme is Use system setting.
Support for Amazon Fire devices
- The Tailscale app for Android is now available in the Amazon Appstore for Amazon Fire TVs and tablets.
Tailscale v1.66.1
Update instructionsThis release is exclusively for Linux platforms and the standalone variant of the macOS client. It is not available for other platforms.
Linux
tailscale set
command flags--netfilter-mode
,--snat-subnet-routes
, and--stateful-filtering
are added.- Issue with
nftables
rules for stateful filtering, introduced in v1.66.0.
macOS
- A version mismatch warning no longer displays when upgrading, if no mismatch is detected.
ACL syntax updates
- As part of a security fix to address an issue related to exit nodes and subnet routing (TS-2024-005), changes are made to ACLs.
- The meaning of
*
when used in thesrc
field in ACLs has been changed. Previously,*
expanded to include any IPv4 and IPv6 address. With this change,*
expands to all Tailscale IP addresses and all IP addresses from approved subnet routes. - The new
autogroup:danger-all
ACL type has been added, which matches the previous definition of*
when used in thesrc
field. If you are using default ACLs or have specified*
insrc
, you don't need to make any ACL changes to get the new secure behavior. - We recommend updating all Tailscale clients to v1.66 to benefit from the additional security improvements.
- The meaning of
Tailscale v1.66.0
Update instructionsWe recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements.
All platforms
- Implemented client-side quarantining for shared-in exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.
Linux
- Use the
--stateful-filtering
flag for thetailscale up
to enable stateful filtering for subnet routers and exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.
Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false
command.
- Use tab completion to type the first few letters of a Tailscale CLI command, flag, or arguments, followed by the
tab
key to complete the item being typed. Set up tab completion by using thetailscale completion
command. - Use the
tailscale exit-node suggest
command to automatically pick an available exit node that is likely to perform best. - Site-to-site networking now also requires
--stateful-filtering=false
in addition to--snat-subnet-routes=false
on new subnet routers. Existing subnet routers with--snat-subnet-routes=false
will default to--stateful-filtering=false
.
macOS
- View a suggested exit node in the Exit Node picker when available.
- Generate a macOS Configuration Report
.txt
file from the Bug Report view to help the Tailscale support team diagnose issues. - Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
iOS
- See direct vs. relayed connections in the Ping view.
- View a suggested exit node in the Exit Node picker when available.
- Use auth keys to log in without using the browser.
- Search tagged devices by tag in the Devices list.
- Remove accounts in the Fast User Switching view by using a long press, without having to log out.
- Improved UI experience to log into a custom coordination server like Headscale.
- The Fast User Switching view can now be used when Tailscale is disconnected.
- Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
- Reduced app launch time.
tvOS
- Manage DNS configuration in the DNS Settings view.
- Generate a bug report identifier by navigating to About Tailscale > Report an issue.
- Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
Android
We've rebuilt the Android app from the ground up, adopting a similar design that we've previously rolled out on iOS and using the latest Android best practices.
- Use new status indicators to see at-a-glance insights into node connectivity. Tap on a node to see detailed information.
- See detailed information about resolvers, domains, and routing configurations in a dedicated DNS Settings view.
- See the status of Tailnet lock and node keys.
- Use Fast user switching to switch between two or more logged-in accounts on the same device, without requiring you to re-authenticate.
- Use auth keys to log in without using the browser.
- Manage Android devices in your tailnet using Mobile Device Management (MDM) solutions such as Google Workspace, Microsoft Intune, or TinyMDM, among other tools.
- Accessibility support.
- Use dark mode as an alternative to light mode.
- The Quick Settings tile has been temporarily disabled, pending resolution of an issue.
- More intuitive behavior switching between exit nodes.
- Issue with LAN access during exit node use.
Device posture management GA
Read more- Device posture management GA (generally available)
- Use Device posture management to collect device properties and set device connectivity rules within your Tailscale network. Leverage Tailscale's integration with CrowdStrike to use Falcon Zero Trust Assessment (ZTA) scores to enable granular access control based on device health and security.
Log streaming with Axiom
- Log streaming integration with Axiom GA (generally available).
- Use Axiom for log streaming.
Windows OS versions in admin console
- Windows machines in the admin console are now displayed using their marketing version number instead of their internal version number.
All identity providers available to everyone
Read more- Allowable identity providers are no longer limited by pricing plan. Any supported identity provider is available to all plans.
Tailscale v1.64.2
Update instructionsWindows
- Installers are now built using WiX toolchain version 3.14.1.
Synology
- DiskStation Manager UI no longer freezes for a few minutes at startup when attempting to clean unused routes. This update is applicable to the version provided on pkgs.tailscale.com.
Changelog update
- The Tailscale changelog has migrated to a new server. To prevent disruptions to RSS readers that subscribe to our changelog, we have limited the RSS feed to entries published on or after 2024-04-15. Existing RSS subscriptions should not lose access to older entries that have already been downloaded. The full changelog history is always available on our website
Share devices by email from the admin console
- Share devices by sending emails directly from the admin console. The email will contain the invitation and instructions on how to accept the device share.
Tailscale v1.64.0
Update instructionsAll platforms
tailscale serve
headers are now RFC 2047 Q-encoded.- Device web interface enabled by default locally on
100.100.100.100
. - Go is updated to version 1.22.2.
macOS
- Use Tailscale for macOS as a Tailscale SSH client (Standalone variant only).
- Receive alerts when an error occurs while changing client preferences.
- Added a new Internet Access Policy for Little Snitch users.
- The
.pkg
installer no longer requires a system restart after installing the client (Standalone variant only). - Unexpected terminations for some macOS 10.15 Catalina users.
- Reduced number of alerts if the network extension terminates unexpectedly.
iOS
- Improved reliability of the ping chart presentation.
Synology
Kubernetes operator
tailscale configure kubeconfig
now respectsKUBECONFIG
environment variable.tailscale configure kubeconfig
now works with partially emptykubeconfig
.- MSS clamping for Kubernetes operator proxies using nftables.
Containers
- Containers on hosts with partial support for ip6tables no longer crash.
Salesforce available as a preset app
- Salesforce is available as a preset app.
Unused external invites expire
- External user invites that are unused for 30 days will expire. This includes external invites sent by email and link.
Invite users by email from the admin console
- Invite external users by sending emails directly from the admin console. The email will contain the invitation and instructions on how to join the tailnet.
ACL Preview
- ACL Preview now shows posture conditions
Tailscale v1.62.1
Update instructionsLinux
- Send load balancing hint HTTP request header
Windows
- Do not allow
msiexec
to reboot the operating system
macOS
- Issue that could cause the Tailscale system extension to not be installed upon app launch, when deploying Tailscale using MDM and using a configuration profile to pre-approve the VPN tunnel (applies to standalone variant only)
Synology
- IPv6 routing
Kubernetes operator
- Kubernetes operator proxies should not accept subnet routes
Device posture attributes API
- Call device posture attribute API endpoints using the OAuth access token scope ID
devices
and personal access tokens belonging to users with the IT admin user role
Tailscale SSH GA
Read more- Tailscale SSH GA (generally available)
- Use Tailscale SSH to manage the authentication and authorization of SSH connections in your tailnet
Download invoices
- Download invoices for your Tailscale account in the Billing page of the admin console (beta)
Tailscale v1.62.0
Update instructionsAll platforms
- Web interface now uses ACL grants to manage access on tagged devices
- Tailscale SSH connections now disable unnecessary hostname canonicalization
tailscale bugreport
command for generating diagnostic logs now contain ethtool information- Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers
- DNS over HTTP requests now contain a timeout
- TCP forwarding attempts in userspace mode now have a per-client limit
- Endpoints with link-local IPv6 addresses is preferred over private addresses
- WireGuard logs are less verbose
- Go is updated to version 1.22.1
- DERP server region no longer changes if connectivity to the new DERP region is degraded
Linux
- Auto-update version detection on Alpine Linux is improved
- IPv6 support detection in a container environment is improved
- DNS configuration on Amazon Linux 2023 no longer causes an infinite loop
Windows
ManagedByOrganizationName
,ManagedByCaption
, andManagedByURL
system policy keys are now supported- Tailscale Tunnel WinTun adapter handling is improved
- MSI upgrades no longer ignore policy properties set during initial install
macOS
- A
.pkg
installer package is now available for the standalone release of the Tailscale client - Taildrop notifications now include actions to reveal the received file in the Finder, or delete it
- Tailnet lock settings UI displays more information about the status, including key and public key trust status
- The onboarding flow now guides the user in enabling the Tailscale system extension
- Launch Tailscale at login settings item can now be toggled when the Tailscale client is disconnected
- DNS behavior is improved when handling transitions between network interfaces
iOS
- Battery usage is improved
- Taildrop notifications now include actions to reveal the received file in the Files app, or delete it
- Tailnet lock settings UI displays more information about the status, including key and public key trust status
- Unnecessary log messages are removed when triggered by changes to device power state and routing
- DNS behavior is improved when handling interface transitions between Wi-Fi and Cellular
Android
- Settings persist from previous sign-ins
- Always-on VPN handling is improved
- Custom control server is applied on first start
Kubernetes operator
Secret scanning with GitLab
Read more- Secret scanning integration with GitLab
- Use secret scanning to help mitigate accidental disclosure and prevent fraudulent use of Tailscale-generated keys
ACL groups and tests for Tailscale SSH
sshTests
ACL top-policy section lets you write assertions about your SSH access rules and functions similarly to ACLtests
, but for Tailscale SSHuser:*@<domain>
ACL autogroup allows access for any user whose login is in the specified domain and is a direct member of the tailnetlocalpart:*@<domain>
ACL autogroup allows Tailscale SSH access to a user on the host whose name matches the local-part of the user's Tailscale login
Tailscale v1.60.1
Update instructionsAll platforms
- Exposing port
8080
to other devices in your tailnet works as expected
Updated Users page
- Users page of the admin console updated to provide more context around user invitations, user approval, and your tailnet's identity provider
Exit node visibility
- Users can only see exit nodes they have permission to use, based on the ACL settings for a tailnet. This includes visibility in the Tailscale client and the output for Tailscale CLI commands such as
tailscale status
andtailscale exit-node list
.
Preset Apps GA
- Preset Apps GA (generally available)
- Use Preset Apps to configure common applications with only a few clicks or an ACL configuration. Routes and domains for Preset Apps are automatically updated and managed by Tailscale, based on each app’s source of truth. Routes for preset apps are automatically approved and pushed down to all selected App connectors.
- Confluence, GitHub, Google Workspace, Jira, Okta, and Stripe are now available as preset apps
Updated pricing plans
- The Free pricing plan is now called the Personal plan. All other aspects of the plan remain the same.
- Customers who sign up with a custom domain will be auto-enrolled into a 14-day trial of the Enterprise plan with no provisioned user limits
- Personal plan customers who use a custom or vanity domain for their tailnet can opt out of the trial and continue to use the Personal plan
- Customers who use Tailscale for commercial purposes will be billed for all of their active users once they sign up for a plan
Note: Free trials are available for business customers. For details about billing, plan comparison, and support, see Pricing & Plans FAQ. For instructions on how to change your plan, see Modify billing.
Tailscale v1.60.0
Update instructionsAll platforms
tailscale status
command output now includes location-based exit nodestailscale web
command flag--read-only
is added to run the web UI in read-only mode- A warning is logged when unable to find SSH host keys
- Support added for legacy "urn:dslforum-org" port mapping services
- Build with Go 1.22
- Detect when Tailscale is running on Digital Ocean and automatically use Digital Ocean's DNS resolvers
- Expose gVisor metrics in debug mode
- Improve error message when running as non-root
- A valid login page is presented to users when attempting to log in even after leaving device unattended for several days
- An issue with noisy peer mtu discovery errors
- A potential crash when no supported port mapping services are found
Windows
- Fixed:
tailscaled
could be slow or cause increased CPU usage with large routing tables
macOS
Note: Tailscale v1.60.0 is built with Go 1.22 and Go 1.22 is the last release that will run on macOS 10.15 Catalina (source). We are providing notice that around August 15, 2024, Tailscale will be built with Go 1.23 at which time macOS users that want to run the latest version of Tailscale will require macOS 11 Big Sur or later. Note that macOS 10.15 Catalina is no longer supported by Apple and is no longer receiving security updates.
- New UI to add, remove, and switch between user accounts, including using custom control servers
- New UI to change client preferences
- New UI to manage updates for the Standalone variant of the client, including switching in-app between stable and unstable builds
- VPN On Demand is now supported on macOS, to automatically connect/disconnect Tailscale when specific conditions are triggered
- Reset VPN Configuration menu item in the Debug menu is now available to reset the system VPN configuration if needed
- An alert window is presented when the Tailscale network extension fails to start, providing suggested troubleshooting steps
- Tailscale appears in the macOS Dock when an app window is presented
- The Network Devices list now shows all devices known to the control server, not only those seen in the last 4 days
- The onboarding flow automatically advances once the user is connected
- A potential crash and excessive logging upon client launch
- Start on Login is set correctly on macOS Ventura and earlier versions
iOS
- A potential crash and excessive logging upon client launch
- Stale devices are no longer presented in the devices list
tvOS
- A potential crash and excessive logging upon client launch
- Stale devices are no longer presented in the devices list
Android
- Mullvad exit nodes now sorted to make it easier to find the best node for each location
- Mullvad tunnels are no longer shown as regular nodes in UI
- Quick settings tile now works
Synology
- An issue with stalling of SMB transfers of large files
Kubernetes operator
- A new
ProxyClass
custom resource that allows you to provide a custom configuration for cluster resources that the operator creates - ACL tags for the operator can now be configured via Helm chart values
- Routing to Ingress backends that require an exact path without a slash (
/
) suffix
App connectors
- App connectors now flatten DNS CNAME chains down to a target A/AAAA routing record, for apps that are configured with a DNS record that is a CNAME
- Apps can be preconfigured with known routes to have those routes auto-advertised by all selected app connectors, and immediately begin to route traffic
Auto-updates GA
Read more- Auto-updates GA (generally available)
- Enable Tailscale client auto-updates in the Device management section of the admin console
- Initiate Tailscale client updates to devices from the Machines page of the admin console. For details, see Auto-updates.
App connectors wildcard support change
- New Apps and app connectors can no longer be selected via the
*
wildcard in a tailnet policy file or configuration flow. Instead, tag all app connectors and then use the tags as a selector. Existing*
configurations will need to update to a tag-based selector upon the next tailnet policy file change. For details, see Wildcard connectors no longer supported.
System policies GA
Read more- System policies GA (generally available)
- Use system policies (also known as MDM policies) to control Tailscale client settings for your users, such as UI visibility, organization customization, auto-update functionality, and runtime configurations
Secret scanning with GitGuardian
Read more- Secret scanning integration with GitGuardian
- Use secret scanning to help mitigate accidental disclosure and prevent fraudulent use of Tailscale-generated keys
Support Device Posture in ACL tests
- Device Posture is now supported in ACL Tests
Tailscale v1.58.2
Update instructionsNote: The 1.58.1 release needed to be re-done. Use 1.58.2 instead.
All platforms
- App connectors have improved scheduling and merging of route changes under some conditions
- Crash when performing UPnP portmapping on older routers with no supported portmapping services
macOS
- Opening the About window no longer displays a user interface when there is no newer version
Tailscale v1.58.0
Update instructionsNote: Rollout of 1.58.0 paused on 21-Jan-2024 while we investigate reports of a regression with portmapping.
All platforms
- The number of 4via6 site IDs are increased from 256 to 65,536
- Taildrop allows category Z unicode characters
- DERP flapping (flipping back and forth between two regions rapidly) is reduced when there's still an active connection for the home DERP server
- Portmap checks the epoch from NAT-PMP & PCP, and establishes a new portmapping if it changes
- Portmap better handles multiple interfaces
- Portmap handles multiple UPnP discovery responses
- Increased binary size with Tailscale 1.56 is resolved
- Web interface issue related to accessing shared devices
- Web interface login issue when accessed over HTTPS
Linux
- Shell shebang is added in postinstall script, which fixes some Debian installations
macOS
- DNS Settings view is added and displays the DNS configuration used when Tailscale is running
- Quit the app without terminating the VPN tunnel by holding down the Option button and selecting Quit (Leave VPN Active)
- Toggle Tailscale shortcut action can be used to connect or disconnect the VPN tunnel, depending on its current state
- The
KeyExpirationNotice
system policy is now supported to customize the time interval before a key expiration notice is displayed to the user - The web interface is now supported in the standalone variant of the client
- Onboarding flow includes a step to ask the user to approve key expiry notifications
- Onboarding flow asks the user to approve the system extension if necessary, when using the standalone variant of the client
- Pre-Sonoma compatibility is improved
- VPN tunnel terminates upon closing the app
- Opening the About window triggers a check for updates
- The standalone variant of the client checks for updates every 72 hours
iOS
- Toggle Tailscale shortcut action can be used to connect or disconnect the VPN tunnel, depending on its current state. Ideal for the Action Button on iPhone 15 Pro.
- The
KeyExpirationNotice
system policy is now supported to customize the time interval before a key expiration notice is displayed to the user - Sign button in the Tailnet lock device sign view is rendered correctly
- Connectivity is no longer lost when transitioning from Wi-Fi to Cellular while an exit node is in use
Windows
- The web interface is now supported
- The lookup for
netsh.exe
uses the absolute path instead of the relative path - ADMX system policy descriptions are now available
- Vestigial wintun support is removed, which might have caused Chocolatey installs to break
- A goroutine leak in winMon no longer occurs if the monitor is never started
- "This package requires Windows 10 or newer" message no longer falsely displays during an uninstall or repair
Android
- Active network change detection is improved
tvOS
- Improvements to persistence of the client when running in the background
Kubernetes Operator
- A Connector custom resource is added, allowing users to configure the operator to deploy an exit node, subnet router, or both
- A warning displays if the unsupported ingress
Exact
path type is used - StatefulSet labels are synced to their Pods
- A Tailscale IngressClass resource is added
- Extra long Service names are properly truncated
Containers
- Experimental support is added for configuring
tailscaled
using a mounted config file - Tailscale images now contain layers of the same media type and can be parsed by Podman and Buildah
Support for Zoho
- Zoho is now supported as a custom OIDC provider
Tailscale v1.44.3
Update instructionsWindows
- Added a security fix to address privilege escalation with
tailscale serve
andtailscale funnel
that allowed low-privilege users to serve files they did not have access to (TS-2024-001). This release is intended for Windows 7 and 8 users. Those with later versions of Windows should run the latest stable version of Tailscale, which is 1.56.1. This issue was resolved in Tailscale 1.52.
Invite any user to a GitHub tailnet
- Invite any user to your tailnet when using a GitHub organization or GitHub personal account as the identity provider
View machine certificate status
- View the TLS certificate status of a machine in your tailnet by using the Machines page of the admin console
HTTPS certificates GA
- HTTPS certificates GA (generally available)
- Use HTTPS certificates to provision TLS certificates for devices in your tailnet
Tailscale v1.56.1
Update instructionsLinux
- Web interface redirects to the correct self-IP known by the source peer
- App connector domain list displays as expected
macOS
- Custom login server uses the provided URL instead of
login.tailscale.com
iOS
- Custom login server uses the provided URL instead of
login.tailscale.com
tvOS
- Custom login server uses the provided URL instead of
login.tailscale.com
ACL Grants
Read more- Use ACL Grants in your tailnet policy file to provide capabilities at either the IP layer or the application layer (beta)
Device posture
Read more- Use Device posture management to collect device properties and set device connectivity rules within your Tailscale network (beta)
- "Enable posture identity collection" and "Disable posture identity collection" are logged as configuration audit logging events when device posture identifiers are enabled or disabled, respectively
- "Create posture integration" is logged when a new device posture integration is added
- "Update posture integration" is logged when a device posture integration is updated
- "Remove posture integration" is logged when a device posture integration is removed
Tailscale v1.56.0
Update instructionsAll platforms
tailscale whois
command shows the machine and user associated with a Tailscale IP address- System policies are now in beta
tailscale switch --list
command shows name and profile ID to disambiguate profiles with common login names- Responsiveness is improved under load, especially with bidirectional traffic
- UPnP port mapping is improved
Linux
- The web interface allows users to configure some device settings such as exit nodes, subnet routers, and Tailscale SSH using a browser-based GUI instead of the Tailscale CLI
tailscale update
command is supported for Unraidcontainerboot
symlinks its socket file if possible, making the Tailscale CLI work without--socket=/tmp/tailscale.sock
Windows
- Throughput is improved for userspace ("netstack") mode in the presence of packet loss
- Profile switcher displays the tailnet name
- Dynamic DNS updates are disabled in the client interface via the registry setting
- Client improvements when restarting after an upgrade
macOS
- Taildrop notification displays when a file is received (App Store variant only)
- Taildrop shortcut action is added for file sharing
- Profile switcher displays the tailnet name
- About Tailscale dialog indicates when the app is running a TestFlight build
- In-app warnings and push notifications display when internet connectivity is blocked because the current exit node is offline or its key has expired
- VPN tunnel fully terminates when Tailscale is stopped, using the menu bar toggle
/etc/resolv
file formatting with Tailscaled-on-macOS is improved
iOS
- DNS Settings view is added
- Taildrop shortcut action is added for file sharing
- Taildrop notifications include the received file names
- Profile switcher displays the tailnet name
- About Tailscale dialog indicates when the app is running a TestFlight build
- Allow Local Network Access option is added to the exit node picker UI
- In-app warning and push notification displays when internet connectivity is blocked because the current exit node is offline or its key has expired
- App size is reduced by about 2 MB with better asset compression
tvOS
- Apple TV can be configured as a subnet router, allowing you to remotely access resources on your home network that may not have Tailscale installed, such as a printer
- About Tailscale dialog indicates when the app is running a TestFlight build
Kubernetes
- Helm charts for the Tailscale Kubernetes Operator are now available on pkgs.tailscale.com/helmcharts
- Kubernetes API server proxy supports impersonating groups via ACL Grants
- Kubernetes operator cluster egress now supports referring to a tailnet service by its MagicDNS name in the
Service
annotation
GoKrazy
- TUN mode is used by default
App connectors
Read more- Use App connectors to connect software as a service (SaaS) applications to your Tailscale network (beta)
Regional routing GA
Read more- Use Regional routing to route your traffic across distributed high availability infrastructure based on region (generally available)
Specify protocol in ACL tests
proto
field is now supported in ACL tests
Tailscale v1.54.1
Update instructionsmacOS
- Changing a pre-existing system policy value to nil no longer causes stability issues
iOS
- Changing a pre-existing system policy value to nil no longer causes stability issues
- Widget tracks the connection state more closely
tvOS
- Changing a pre-existing system policy value to nil no longer causes stability issues
Configure CGNAT IP range subset
- Use IP pool to enable configuring a specific CGNAT IP range subset in your tailnet policy file (alpha)
Access to the full CGNAT address space
Tailscale IPv6 address prefix change
- Tailscale IPv6 local addresses are assigned from the unique local address prefix of
fd7a:115c:a1e0::/48
. Previously IPv6 addresses were assigned fromfd7a:115c:a1e0:ab12::/64
.
Log streaming with Datadog GA
Read more- Log streaming integration with Datadog GA (kb-generally available)
- Use Datadog for Log streaming
Require check mode on every Tailscale SSH connection
- Require check mode on every Tailscale SSH connection by specifying
"checkPeriod": "always"
in your tailnet policy file from the Access controls page of the admin console
Tailscale v1.54.0
Update instructionsAll platforms
- Go is updated to version 1.21.4
Linux
- Substantially improve throughput for UDP packets over TUN device with recent Linux kernels
- Added a security fix to address privilege escalation with
tailscale serve
andtailscale funnel
that allowed low-privilege users to serve files they did not have access to if the machine administrator had previously granted that usertailscale up --operator
privilege (TS-2024-001)
Windows
- Open menu with a regular click in addition to a right-click
macOS
- Implement MDM settings for the standalone macOS application
- Support for the
tailscale update
command for the standalone macOS application - Don't run Taildrop cleanup loop until the first file transfer, and avoid spurious security dialog
iOS
- Show a helpful banner if there are no other devices on the tailnet
- Add Allow Local Network Access setting when using an exit node
- Show info bubble when key expires within 8 hours, or has expired
- Widgets now reflect the state of the VPN tunnel more accurately
QNAP
- Support for the
tailscale update
command
Secret scanning and TruffleHog
Read more- Scanning for exposed Tailscale secrets
- Scanning for exposed Tailscale secrets helps mitigate accidental disclosure and prevent fraudulent use of Tailscale-generated keys
- Secret scanning integration with TruffleHog
- TruffleHog scans for exposed Tailscale keys
Revert your tailnet policy file
- Revert your tailnet policy file from the Configuration logs page of the admin console
Log streaming updates
Read more- Log streaming private endpoints GA
- Use private endpoints in your tailnet for Log streaming (generally available)
- Configuration audit log streaming is now available to the Free plan
- Log streaming integration with Cribl GA
- Use Cribl for Log streaming (generally available)
Tailscale v1.52.1
Update instructionsWindows
- Resolve an incompatibility with other software that uses wintun
NAS platforms
- Clean up downloaded upgrades after applying them
Delete non-provisioned users
- Delete non-provisioned users on a tailnet with user & group provisioning enabled
Automatic client updates
Read more- Use auto-updates (beta) to keep your Tailscale client on the latest version
Kubernetes operator
Read more- Tailscale Kubernetes operator is now in beta
- Use the Kubernetes operator to expose services in your Kubernetes cluster to your tailnet, connect to your tailnet from a Kubernetes cluster, and securely connect to the Kubernetes control plane
- Use a Helm chart to deploy the Kubernetes operator
Tailscale extension for Visual Studio Code GA
- Tailscale extension for Visual Studio Code GA (generally available)
- Use the Tailscale extension for Visual Studio Code to interact with resources in your tailnet from within the VS Code IDE
Tailscale v1.52.0
Update instructionsAll platforms
tailscale cert
command renews in the background. The current certificate only displays if it has expired.tailscale status
command displays a message about client updates when newer versions are availabletailscale up
command displays a message about client updates when newer versions are available- Taildrop now resumes file transfers after partial transfers are interrupted
- Taildrop prevents file duplication
- Taildrop detects conflicting file transfers and only proceeds with one transfer
- Wake on LAN (WoL) is now supported for peer node wake-ups
- TCP DNS queries are speculatively started if UDP hasn't responded quickly enough
- Truncated UDP DNS results are properly retried using TCP
- Go is updated to version 1.21.3
Linux
tailscale set
command flag--auto-update
is added to opt in to automatic client updates (beta)tailscale serve
andtailscale funnel
commands are updated for improved usabilitytailscale update
command for manual updates is now in beta- Taildrop file transfer displays a progress meter
nftables
auto-detection is improved whenTS_DEBUG_FIREWALL_MODE=auto
is used- DNS detection of
NetworkManager
with configured but absentsystemd-resolved
, such as EndeavourOS - DNS detection for Debian
resolvconf
version 1.90 or later
Windows
tailscale set
command flag--auto-update
is added to opt in to automatic client updates (beta)- Preferences section contains auto-update setting
- Update notice displays, when a new version is available
- System policies allow system administrators to set a forced/suggested tailnet name, hide settings menu items, and more
tailscale serve
andtailscale funnel
commands are updated for improved usabilitytailscale update
command for manual updates is now in betaiphlpsvc
,netprofm
, andWinHttpAutoProxySvc
service dependencies are checked during installation- Added a security fix to address privilege escalation with
tailscale serve
andtailscale funnel
that allowed low-privilege users to serve files they did not have access to (TS-2024-001)
macOS
tailscale set
command flag--auto-update
is added to opt in to automatic client updates (beta)- App menu displays a notification item when a newer version is available
- System policies allow system administrators to set a forced/suggested tailnet name, prevent the VPN from stopping, hide categories of network devices and setting menu items, and more
- Settings section has an option added for turning on auto-updates
- Reauthenticate menu item shows time until expiry more prominently, presenting alerts when necessary
tailscale serve
andtailscale funnel
commands are updated for improved usabilitytailscale update
command for manual updates is now in beta- About window more clearly distinguishes between the Standalone and App Store variants of the client
- Sparkle is updated to version 2.5.1
iOS
- Settings page displays a notification banner when a newer version is available on the App Store
- Home and lock screen widgets are supported
- System policies allow system administrators to set a forced/suggested tailnet name, prevent the VPN from stopping, hide the VPN On Demand settings, categories of network devices and settings menu items, and more
tvOS
- DNS support when operating as an exit node
OAuth clients GA and Search domains GA
- OAuth clients GA (generally available)
- Use OAuth clients to provide delegated fine-grained access to the Tailscale API
- Search domains GA (generally available)
- Use Search domains to set custom DNS domain suffixes that are automatically appended to any domain name that is not a fully qualified domain name (FQDN)
Add devices from the admin console
- Use the Add device button in the Machines page of the admin console to download the Tailscale client. See Add a device for details.
Tailscale v1.50.1
Update instructionsGoogle Chat supported as a webhook destination
- Webhook events are available in a format for Google Chat
Tailscale v1.50.0
Update instructionsAll platforms
- Wikimedia DNS using DNS-over-HTTPS is supported
- Build with Go 1.21.1
tailscale update
command is unhidden on most platformstailscale ping
command sends an ICMP Ping code of0
tailscale web
command updated to use Reacttailscale debug portmap
command now has the--log-http
optiontailscale netcheck
command works even if the OS platform lacks CA certificates- UPnP falls back to a permanent lease if a limited lease fails
- WireGuard peer endpoint selections are improved
Linux
- Debian package lists the
iptables
andiproute2
packages as recommended, not required nftables
support interoperates with Uncomplicated Firewall (UFW)
Windows
tailscale bugreport
logs contain additional diagnostic information- Windows executable installer detects when it is running on Windows 7 or Windows 8.x and will automatically download the appropriate v1.44.2 MSI package, which is the final release supporting those operating systems
- Windows executable installer no longer embeds MSI packages in the executable. Instead, it automatically downloads the correct package. Users desiring the previous behavior may download the "full" executable installer at pkgs.tailscale.com.
macOS
- Shortcuts are added for finding and pinging devices
- Mullvad Exit Nodes allows you to select nodes by country and city
- Tailnet lock reliability improvements
- Taildrop no longer replaces spaces with
%20
in file names when sending files to Windows devices
iOS
- Fast user switching is available
- iOS 17 supports customized device naming from Settings
- App Shortcuts in Spotlight and Siri are supported. Try saying: "Hey Siri, connect to Tailscale" or "Hey Siri, is Tailscale connected?".
- Shortcuts are added for finding and pinging devices
- Mullvad Exit Nodes includes an option to pick the best available node
- UI accessibility improvements when using VoiceOver
- Taildrop no longer replaces spaces with
%20
in file names when sending files to Windows devices - VPN On Demand rules are no longer reset when disabled and then restarted
OAuth access tokens
- Requests for OAuth access tokens may now specify a custom set of tags instead of always inheriting the tags from the OAuth client
- Requesting OAuth access tokens with invalid scopes will now fail rather than returning a token with default scopes
Kubernetes operator
- Use the Tailscale Kubernetes operator to expose a Kubernetes cluster to your tailnet and securely connect to the Kubernetes control plane (alpha)
Apple TV GA
Read more- Apple TV GA (generally available)
Tailscale v1.48.2
Update instructionsAll platforms
- Stability improvements for Mullvad Exit Nodes, particularly for users on IPv4-only networks
Mullvad Exit Nodes
Read more- Use Mullvad Exit Nodes to have Mullvad VPN endpoints as exit nodes for your Tailscale network (beta)
- "Enable Mullvad VPN for tailnet" and "Disable Mullvad VPN for tailnet" are logged as configuration audit logging events when Mullvad Exit Nodes are enabled or disabled, respectively
User status changes
- The Active status filter option in the Users page of the admin console is removed. Use the Billing page to track your active users instead.
- The Inactive badge and status filter option in the Users page of the admin console is renamed Idle
Tailscale v1.48.1
Update instructionsAll platforms
- Fix a security vulnerability in UPnP port mapping (TS-2023-006)
Linux
- Fixed: Resolve nftables interaction between Tailscale and UFW which resulted in blocking subnet routed traffic
Synology
- Determine correct CPU architecture in
tailscale update
(#8927)
Sync Microsoft Entra ID groups to use in your Tailscale ACLs
Read more- User & group provisioning for Microsoft Entra ID (beta)
- Sync Microsoft Entra ID groups to use in your Tailscale ACLs
Tailscale v1.48.0
Update instructionsAll platforms
tailscale exit-node
subcommand--upstream
flag in thetailscale version
command- The
tailscale funnel
command provides an interactive web UI that prompts you to allow Tailscale to enable Tailscale Funnel on your behalf - The
tailscale serve
command provides an interactive web UI that prompts you to allow Tailscale to enable HTTPS and Tailscale Funnel on your behalf - Tailnet lock is in beta
Linux
Note: 1.48.0 introduced a regression in the interaction between Tailscale and Linux ufw
. The Linux release has been withdrawn pending a fix.
- Support for
nftables
- RPM packages are now fully signed
- Support for the
tailscale update
command on Alpine, Arch and Fedora distro families
Synology
- Support for the
tailscale update
command
macOS
- Support for the
tailscale update
command
iOS
- Support for VPN On Demand
- VPN tunnel lifecycle improvements
- Improved exit node selection
- Minor UI tweaks
Tailscale Funnel interactive web UI
Log streaming with Panther Labs GA
Read more- Log streaming integration with Panther Labs GA (generally available)
- Use Panther Labs for Log streaming
Tailnet lock beta
Read more- Tailnet lock is now in beta
- Use tailnet lock to require your nodes to verify node keys distributed by the coordination server before trusting them
GitLab CI/CD support for GitLab Runner
- Use the Tailscale GitLab CI/CD configuration to access devices in your tailnet directly from your GitLab Runner
Machine explorer in the Tailscale VS Code extension
Read more- View and interact with machines on your tailnet within the Tailscale extension for Visual Studio Code. Powered by Tailscale SSH, you can remotely manage files, open terminal sessions, or attach remote VS Code sessions.
Log streaming private endpoints
- Use private endpoints (beta) in your tailnet for log streaming
Additional autogroup value
- autogroup:tagged to refer to all tagged nodes in a tailnet
Tailscale v1.46.1
Update instructionsAll platforms
- Issue with tailnet lock signature verification
Linux
- Crash issue on ARM64
Android
- DNS and subnet routes issue
Autogroup now supports autogroup:member syntax
- Syntax for autogroups now supports
autogroup:member
in addition toautogroup:members
when referring to all users in a tailnet
OAuth scopes for logs API endpoints
- The
logs:read
OAuth scope can be used to grant API access to configuration audit logs - The
network-logs:read
OAuth scope can be used to grant API access to network flow logs
SCIM ACL validation warnings in API
- The tailnet policy file validation endpoint will now return warnings about SCIM synced groups in addition to errors in the response object. These will be the same warnings you would have seen visually in the admin console if you had tried to save that policy file. See the user and group provisioning documentation for more detail.
Tailscale v1.46.0
Update instructionsLinux
- Initial support for nftables-based configuration. This option is currently behind a temporary flag for testing and feedback. See issue #391 for details.
Windows
- Tailnet lock is now supported
macOS
- Tailnet lock is now supported
iOS
- Tailnet lock is now supported
- Onboarding flow is added for easier initial setup of the app
- Ping devices on your tailnet from the app
- The app Machines page is improved
- The app Exit Node section is improved
- The app Settings page is improved
iOS app redesign
Read more- The Tailscale iOS client is updated with significant design and engineering improvements
Tailscale v1.44.2
Update instructionsAll platforms
- Handling of custom HTTP ports in
tailscale serve
Windows
- Restore support for Microsoft Windows 7 and Microsoft Windows 8.x.
Tailscale v1.44.2 will be the last release to support the following operating systems: Microsoft Windows 7, Microsoft Windows 8, Microsoft Windows Server 2008, and Microsoft Windows Server 2012.
Log streaming integration with Panther Labs
Read more- Use Panther Labs (beta) for Log streaming
Tailscale v1.44.1
Update instructionsAndroid
- Various bugs and improvements
Terms of service and privacy policy
Read more- Updated Terms of Service
- Updated Privacy Policy
Tailscale GitHub Action changes
- The Tailscale GitHub Action now supports use of an OAuth client for its node authorization. The action also supports running on ARM64 nodes.
Network flow logs GA and Log streaming GA
Read more- Network flow logs GA (generally available)
- Use Network flow logs to understand which nodes connected to which other nodes, and when, in your tailnet
- Log streaming GA (generally available)
- Use Log streaming to stream Configuration audit logs and Network flow logs to a security information and event management (SIEM) system
Nairobi DERP region
- Nairobi added as a DERP region
Add a description to new keys and OAuth clients
- Description field is added to the Generate auth key dialog in the Keys page of the admin console
- Description field is added to the Generate access token dialog in the Keys page of the admin console
- Description field is added to the Generate OAuth client dialog in the OAuth clients page of the admin console
Tailscale v1.44.0
Update instructionsNote: This is the last release to support the following operating systems:
• macOS 10.13 High Sierra
• macOS 10.14 Mojave
Tailscale releases after 1.44.0 will no longer install on these operating systems, though we expect to maintain forward compatibility and critical security updates for 1.44.0 with future releases until at least June 30, 2024.
To install Tailscale on a High Sierra or Mojave system, visit the Purchased Items in the App Store Account page. macOS High Sierra or Mojave systems will be offered Tailscale 1.44 when the download link is clicked. If Tailscale does not appear in the Purchased Items it must first be successfully installed using a recent macOS system. The Tailscale app will then be available for the High Sierra or Mojave system to install from Purchased Items.
All platforms
tailscale serve http
command to serve over HTTP (tailnet only)tailscale ssh
command now supports remote port forwarding- Recursive DNS resolution is now initially supported to replace bootstrapDNS when operating in a parallel mode
- Build with Go 1.20.5
--tun-userspace-networking
stability improvements for userspace subnet routers- MagicSock private addresses are given preference when both private and public are available, to help keep traffic in private VPCs, where possible
- Async support is removed from the
portlist
package. Update to use synchronousPoll()
if this breaks your package. WatchIPNBus
now only requires read-only permissions to readtailscale cert
renewal decision is now based on the lifetime of the certificate instead of hard-coded. This better supports 14 day certificate lifetimes.
Linux
- Changed:
tailscale ssh
support improvements for Security-Enhanced Linux (SELinux) systems - Changed:
tailscale ssh
supports user names with up to 256 characters build_dist.sh
better supports operating systems and CPU architectures which Tailscale release builds do not include- The iputils package can now be installed on Alpine-based Docker containers
Windows
- PreferGo supports better DNS caching
macOS
- ICMP6 forwarding works as expected when running as a subnet router
FreeBSD
- ICMP6 forwarding works as expected when running as a subnet router
OpenBSD
- ICMP6 forwarding works as expected when running as a subnet router
WASI
- tsnet applications compiled to WebAssembly are now better supported
Support for IPv6 in tailnet policy file
- IPv6 addresses can now be directly specified in ACL rules and tests.
Support for Codeberg and Gitea
- Codeberg and Gitea supported as custom OIDC providers
Edit policy groups dialog in admin console
- Edit group membership in the Users page of the admin console
Custom OIDC setup option for user auth page prompt
- Setup for custom OIDC providers provides the option for specifying a prompt
(
none
,consent
,login
,select_account
) for the user authentication page. If your tailnet was already using a custom OIDC provider, we updated your setup automatically to useconsent
, which prior to today was the only supported value.
Support for Ping Identity
- Ping Identity is now available as a custom OIDC provider
Tailnet lock login change for expired nodes
- Changed: When logging in to a node that has an expired key in a tailnet that has enabled Tailnet lock, an error message is returned, directing you to reauthenticate instead of logging in, or to delete the machine from within the admin console before logging in again
Invite any user to a tailnet
Read more- Invite any user to your tailnet with a URL invitation (beta)
- "User joined external tailnet" is logged as a configuration audit logging event when a user in your tailnet joins another tailnet
Leave an external tailnet
- The Leave tailnet option has been added to the Tailscale login page (https://login.tailscale.com)
- The Leave tailnet menu option has been added to the Users page of the admin console for the selected user
- "User left external tailnet" is logged as a configuration audit logging event when a user in your tailnet leaves another tailnet
Support for passkeys
Read moreTailscale extension for Visual Studio Code
Read more- Use the Tailscale extension for Visual Studio Code to interact with resources in your tailnet from within the VS Code IDE (beta)
Tailnet lock UI changes
- Manage tailnet lock from the Device management page of the admin console, when enabled
- Improved UI for tailnet lock settings in the Machines page of the admin console
Tailscale v1.42.0
Update instructionsNote: This is the last release to support the following operating systems:
• Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows Server 2008
• Microsoft Windows Server 2012
Tailscale releases after 1.42.0 will no longer install on these operating systems, though we expect to maintain forward compatibility and critical security updates for 1.42.0 with future releases until at least May 31, 2024.
Note: Do not install this version of the Tailscale client on macOS 10.13. Upgrade to version 1.44.0 instead.
All platforms
tailscale serve reset
command to clear out the current serve configuration- Changed: Update internal DNS handling to better support mixtures of global and private DNS servers
Linux
- SSH login on platforms which lack
getent
Windows
Note: This release switches to a new application signing certificate, which is valid through 2025.
- Notification icons are updated
macOS
- Update Sparkle to check more regularly
- Taildrop delivery of incomplete files
iOS
- Delete Account button to redirect to the admin panel
- Better handle memory management to avoid hitting 50 MByte memory limit
Unraid
- Support Unraid as a NAS platform similar to how Synology and QNAP are handled
Kubernetes
- Support for
priorityClassName
ACL tags are lowercased
- ACL tags for auth keys created via API are lowercased
Custom OIDC GA
Read more- Custom OIDC providers (generally available)
- Use a custom OIDC provider for authentication to your tailnet
Discord and Mattermost supported as webhook destinations
- Webhook events are available in formats for Discord and Mattermost
SSH session recording
Read more- Use Tailscale SSH session recording to stream Tailscale SSH session logs to a designated node in your tailnet (beta)
Tailscale v1.40.1
Update instructionsLinux
- Tailscale SSH is now supported for LDAP users
- Support for Tailscale SSH session recording to a local file is restored
- Debian and RPM packages for MIPS architecture generate as expected
Windows
- Notification icons are updated
- The 32-bit Windows installer for the Tailscale client works as expected
macOS
tailscale cert
command no longer causes timeout failures
Kubernetes
- The Tailscale version displays in the startup logs
Support for Authelia
- Authelia is now available as a custom OIDC provider (beta)
Sign in with Apple
Read more- Apple is now available as a supported SSO identity provider, for all plans
Search Domains
- Use Search Domains to configure DNS for accessing network resources without having to specify the full domain path (beta)
Audit log events for Log streaming
- "Create logstream endpoint for tailnet", "Update logstream endpoint for tailnet", and "Delete logstream endpoint for tailnet" are logged as configuration audit logging events for Log streaming
Log streaming
Read more- Use Log streaming to stream configuration audit logs and network flow logs to a security information and event management (SIEM) system (beta)
Tailscale v1.40.0
Update instructionsAll platforms
tailscale up --force-reauth
will now display a warning and 5 second countdown if you are connected over SSH over Tailscale, unless--accept-risk=lose-ssh
is also given- Tailscale now dynamically increases the buffer size for DERP relay messages based on the amount of available RAM (#7776)
- Improvements were made to how Tailscale advertises available endpoints to reduce the likelihood of a spurious loss of direct connections (#7877)
Linux
- Substantially higher throughput—for details, see Surpassing 10Gb/s over Tailscale
- Improved CPU consumption on systems with a very large (1M+) routing table
Windows
- Redo migration of pre-Fast-User-Switching state for better robustness
macOS
- "Settings" replaces "Preferences" as a menu item on macOS Ventura
Android
- Added intents
com.tailscale.ipn.CONNECT_VPN
andcom.tailscale.ipn.DISCONNECT_VPN
gokrazy
- Tailscale SSH now works
QNAP
- UI failure after reboot
Machines page updates
- The Machines page of the admin console has been updated to use Version as a column heading instead of OS, and to show the Tailscale client version prior to the operating system name
Audit log events for approved node routes
- "Update auto approved routes for node" is logged as a configuration audit logging event for routes advertised by the node that are updated using autogroups
- "Update approved routes for node" replaces "Update advertised routes for node" in Configuration audit logging events
Webhook event when a node is deleted
nodeDeleted
webhook event is now generated when a node is removed from the tailnet, including automatic removal of ephemeral nodes
GitOps for Tailscale ACLs with GitLab CI
- Sync Tailscale ACLs GitLab CI Template to keep your tailnet policy file in GitLab, and automatically run tests and push changes to Tailscale
Additional autogroup values
autogroup:billing-admin
andautogroup:auditor
added as autogroups
Audit log events for Network flow logs
- "Enable network flow logging for tailnet" and "Disable network flow logging for tailnet" are logged as Configuration audit logging events for Network flow logs
Billing page updates
Network flow logs
Read more- Use Network flow logs to understand which nodes connected to which other nodes, and when, in your tailnet (beta)
Additional custom OIDC providers
Read more- Auth0, Authentik, Dex, Duo, GitLab, JumpCloud, Keycloak, Ory, and ZITADEL are now available as custom OIDC providers (beta)
Updated pricing plans
Read more- The available pricing plans are Free, Starter, Premium, and Enterprise. Community on GitHub projects remain free, and discounts remain available for charities, not-for-profit organizations, and educational institutions. If you want, you can keep your old plan until at least April 30, 2024.
- The Free plan has three free users
- All plans only pay for incremental usage above three users
New autogroup values
autogroup:admin
,autogroup:it-admin
,autogroup:network-admin
, andautogroup:owner
added as autogroups
Machine address copy card
- Click on a machine's IP address in the Machines page of the admin console to display a machine address copy card. Within the machine address card, click to copy the MagicDNS name, IPV4 address, or IPV6 address of the machine to your clipboard.
Tailscale v1.38.4
Update instructionsAll platforms
- Build with Go 1.20.3 to address security fixes (CVE-2023-24537, CVE-2023-24538, CVE-2023-24534, and CVE-2023-24536). These address potential DoS attacks against DNS over HTTPS and Funnel that can occur over the public internet, and PeerAPI attacks launched from other nodes already on the tailnet.
- Added path support for proxy targets with
tailscale serve
- Error displays when trying to use Funnel and
tailscale up --shields-up
simultaneously
Windows
- When connected to a Windows 10 client using Windows RDP, the Tailscale taskbar right-click option for the remote client works as expected (#7698)
Audit log events for Member users
- "Log in using the web interface" and "Log out using the web interface" are logged as Configuration audit logging events for the Member user role. These events differentiate logins from users with access to the admin console.
Tailnet lock works for additional scenarios
- Tailnet lock works with shared nodes and Tailscale SSH console
Tailscale Funnel Beta
Read more- Tailscale Funnel (beta)
- Route traffic from the wider internet to one or more of your Tailscale nodes.
Tailscale v1.38.3
Update instructionsAll platforms
- Support for stripping HTTP request paths from Funnel proxy routes (#6571)
- Tailscale Funnel is now beta
tailscale serve
issue that did not use actualSrcAddr
asX-Forwarded-For
Linux
- Certificate storage issue that did not actually use Kubernetes secrets
Windows
- Upgraded the Walk framework for the GUI client to improve menu responsiveness
Invite teams
Read more- Invite multiple users at once and administer invites from the Users page of the admin console
- "Invite user to join tailnet" is logged as a Configuration audit logging event
Sales tax collected where required
- Tailscale collects sales tax for jurisdictions that require it, except for organizations with tax exempt status
Custom OIDC providers
Read more- Use a custom OIDC provider for authentication to your tailnet (beta)
Tailscale v1.38.2
Update instructionsAll platforms
tailscale lock tskey-wrap
has been replaced bytailscale lock sign
tailscale lock sign
now supports signing auth keys
Linux
--tun=userspace-networking
issue running in Azure App Services
macOS
- Sparkle automatically checks updates for the standalone package. This does not impact the App Store package.
FreeBSD
- Fixed: Issue setting the effective group ID on some non-interactive Tailscale SSH
sessions. This issue is specific to FreeBSD's implementation of
setgroups
and does not impact other platforms.
Multi-use invite links
- Create multi-use invite links in the Machines page of the admin console, for sharing nodes
Tailscale v1.38.1
Update instructionsAll platforms
tailscale configure
command to configure resources that you want to include in your tailnettailscale lock sign
to sign pre-approved auth keys for use with tailnet locktailscale debug derp
command to help diagnose DERP-related difficultytailscale debug capture
command to write packet capturing for debugging- The
tailscale debug portmap
command replacestailscaled debug -portmap
. This is now available on platforms without atailscaled
binary (like the macOS App Store). tailscale serve
command has been overhauledtailscale serve funnel
has been made into its own command, tailscale funnel- Several improvements to UPnP port mapping have been made that allow it to work with a broader set of home routers
Linux
- Certificates can be stored in Kubernetes secret storage
Windows
- MSI installers start the GUI without user interaction to allow remote upgrades
macOS
- Notification upon node key expiration (only on macOS 10.14 and later)
- Tailscale SSH server component is available for macOS open source Tailscale + tailscaled CLI devices
iOS
- Support for alternate control servers by setting the URL in Settings page of the admin console
Android
- Chromecast support while Tailscale is active
Note: v1.38.0 was never released.
User approval
- Use user approval to require an admin to approve a user before they can join a tailnet (beta)
- New: Enable user approval for tailnet, Disable user approval for tailnet, and Approve user actions are logged as Configuration audit logging events
userNeedsApproval
anduserApproved
events are available as webhook events
Settings page is reorganized
- Device management section is added to the Settings page of the admin console
- User management section is added to the Settings page of the admin console
- Feature Previews section is removed from the Settings page of the admin console. All feature previews are now located in the General page.
- Identity Provider and User & Group Provisioning options are moved from the General page to the User management page of the admin console
- Device Approval and Key Expiry options are moved from the General page to the Device management page of the admin console
- Billing drop-down option for logged in users is removed from the admin console. Use the Billing section in the General page instead.
Tailscale extension for Docker Desktop GA
- Docker Desktop extension (generally available)
- Use the Tailscale extension for Docker Desktop to securely connect to the resources you need for development
Tailscale v1.36.2
Update instructionsmacOS
- Prevent using an exit node while being an exit node
- Improve detection of default interface
iOS
- Improve detection of default interface
Windows
- Improve clean out of registry entries during upgrade
Billing admin
Read more- Billing admin role to manage pricing plan and billing information, but not modify other tailnet settings
- All users with the Admin role can manage pricing plan and billing information
- Configuration audit logging no longer includes "Update billing owner for tailnet" events. Changes to Billing admin roles are included in "Update role for user" events
Webhook events when a webhook is updated or deleted
webhookUpdated
andwebhookDeleted
events are now generated when a webhook is updated or deleted. These events are subscribed by default and cannot be disabled.
Device authorization is now called Device approval
- "Device approval" replaces "Device authorization" as the name of the feature in the General settings page of the admin console
- "Needs approval" replaces "Needs authorization" in the Disabled filter of the Machines page
- "Pre-approved" replaces "Pre-authorized" in the Generate auth key dialog of the Keys page
- "nodeApproved" replaces "nodeAuthorized" in webhook events
- "nodeNeedsApproval" replaces "nodeNeedsAuthorization" in webhook events
- "Enable device approval for tailnet" replaces "Enable device authorization for tailnet" in Configuration audit logging events
- "Disable device approval for tailnet" replaces "Disable device authorization for tailnet" in Configuration audit logging events
- "Approve node" replaces "Authorize node" in Configuration audit logging events
Webhook event when a user is created
- userCreated event in the Tailnet management category when a user is created
get-authkey utility
- Generate auth keys to
stdout
for scripting withget-authkey
utility
Tailscale v1.36.1
Update instructionsAll Platforms
- Potential infinite loop when node key expires
macOS
- Handle starting the app before network interfaces are ready
iOS
- Handle starting the app before network interfaces are ready
- Get Status intent will not connect the VPN
Windows
- Potential crash in netstat handling
- Windows 7 checks for KB2533623
Configuration audit logging GA
Read more- Configuration audit logging (generally available)
- Identify who did what, and when, in your tailnet
Feature invite logs no longer include acceptor
- Accept invite for feature events in configuration audit logs no longer include the acceptor in the sharer's logs
OAuth clients
Read more- Use OAuth clients to provide delegated fine-grained access to the Tailscale API (beta)
Tailscale actions for iOS and macOS Shortcuts
Read more- Automate tasks with Tailscale actions for iOS and macOS Shortcuts
Tailscale v1.36
Update instructionsAll Platforms
--json
flag for thetailscale lock status
andtailscale lock log
commands--json
flag for thetailscale version
commandtailscale update
command to update clienttailscale debug daemon-logs
to watch server logstailscale status --json
now includesKeyExpiry
time andExpired
boolean on nodestailscale version
now advertises when you're on the unstable (dev) track- (Unix platforms) When
/etc/resolv.conf
needs to be overwritten for lack of options, a comment in the file now links to https://tailscale.com/s/resolvconf-overwrite - Tailscale SSH: SSH to
tailscaled
as a non-root user works again, as long as you only SSH to the same user thattailscaled
is running as - Fixed: Handle cases where a node expires and we don't receive an update about it from the control server (#6929 and #6937)
- Fixed: Support UPnP port mapping of gateway devices where they are deployed as a highly available pair (#6946)
- Support arbitrary IP protocols like EOIP and GRE (#6423)
- Exit node handling of a large number of split DNS domains (#6875)
- Accept DNS-over-TCP responses up to 4K bytes (#6805)
Linux
- Add build support for Loongnix CPU architecture
- Improved throughput performance on Linux (#6663)
macOS
- Tailscale actions (connect, disconnect, switch profile, use exit node) are available in the Shortcuts app (read the blog post)
- Tailscale traffic looping upon certain sleep/resume/Wi-Fi change transitions (#5156)
iOS
- Tailscale actions (connect, disconnect, use exit node) are available in the Shortcuts app
- Tailscale using cellular data even after Wi-Fi becomes available (#6565)
Windows
- Add a more robust mechanism to remove WinTun (#6433)
- Update taskbar menu radio button implementation
Android
- New version of the Gio UI library with internationalization and accessibility fixes
- Allow Sonos app to discover local devices while Tailscale is connected
Synology
- Show whether outgoing connections are configured in the web UI
Containers
- Run in a Kubernetes environment without setting
TS_KUBE_SECRET
(#6704)
OpenBSD
- Tailscale SSH runs on OpenBSD
Login page interstitial to confirm node authentication
- The Tailscale login page (
https://login.tailscale.com
) describes the action taking place, such as adding a new device or authorizing SSH access. For some actions, like adding a new node, a second redirection page will be used as a confirmation step.
Self-request access to Tailscale Funnel
- UI functionality to request access to Tailscale Funnel
Functionality to delete the beta.tailscale.net nameserver
- UI functionality to delete the legacy
beta.tailscale.net
nameserver if you are no longer using it
Scoop
- Available as an application in Scoop in Extras bucket
Terms of service, privacy policy, and DPA
- Updated Terms of service
- Updated Privacy policy
- Data Privacy Addendum and list of subprocessors
Tailscale v1.34.2
Update instructionsLinux
- Handling of a very large number of SplitDNS domains with an exit node
macOS
- UI glitch with macOS 10.14 and 10.13
Windows
- Custom server URL from registry key support
Synology
- Crashes manifesting on ARM-based platforms and models with very old kernels
Dev container feature
- Access your tailnet from GitHub Codespaces using Tailscale as a feature in a dev container (Thanks Ross Light!)
User & group provisioning for Okta GA
Read more- User & group provisioning for Okta (generally available)
- Sync Okta groups to use in your Tailscale ACLs
nodeID
included in all node-related webhook event payloads
Tailnet lock
Read more- Use tailnet lock to require your nodes to verify node keys distributed by the coordination server before trusting them (alpha)
Tailscale v1.34.1
Update instructionsLinux
- Unit tests on systems using
busybox ip
- Regression handling
TS_STATE_DIR
in containerboot
macOS
- Issue which could fail to save the key for
tailscale serve
(#6409) - Issue which could cause crash when interfaces change (#6641)
Windows
- Common cause of an issue with Tailscale SSH (#6639)
Export list of devices and users in your tailnet
- Use the admin console to export a list of devices and export a list of users in your tailnet
Tailscale v1.34
Update instructionsAll Platforms
tailscale switch
command to switch between accounts using fast user switchingtailscale login
command to login with a specified accounttailscale set
command to modify configuration settings without needing to repeat the otherstailscale lock
command to manage tailnet lock for your tailnet- Additional 4via6 DNS name
format,
Q-R-S-T-via-X
(orQ-R-S-T-via-X.yak-bebop.ts.net
), for systems that required dashes instead of dots - Display decoded punycode hostnames in status list
- Warn in
tailscale status
health andtailscale up
if there are nodes advertising routes but--accept-routes=false
Linux
- Add fast user switching using
tailscale login
andtailscale switch
- Warn in
tailscale status
health if something else overwrites/etc/resolv.conf
macOS
- Add fast user switching by selecting the desired tailnet from the
Tailscale icon in the menubar, or via the
tailscale login
andtailscale switch
commands
Windows
- Add fast user switching by selecting the desired tailnet from the
Tailscale icon in the taskbar, or via the
tailscale login
andtailscale switch
commands - Use named pipes to communicate between UI and Service
- Changed: Move state storage responsibility from frontend to backend. The current state is migrated, this should not be a noticeable change.
- Switch to
wingoes
for OLE support, use multithreaded apartment - Received Taildrop files get placed in the
C:\Users\(username)\Downloads
directory (previously they were placed in theC:\Users\(username)\Desktop
directory)
Android
- Allow Sonos app to discover speakers on the local LAN
Synology
- Better detect DSM version, locate local socket correctly
Containers
- Replace
run.sh
withcmd/containerboot
FreeBSD
- Support for Tailscale SSH (Thanks Pat Maddox!)
Set contact preferences for email notifications
- Set contact preferences in the Contact Preferences page of the admin console for notifications about account changes, configuration issues, security issues, and billing
- Contact preference updates and verifications are included in configuration audit logs
Create feature preview invitations
- Create invitations for feature previews in the General settings page of the admin console
Name change for unstable Docker images
- Tailscale unstable images on Docker Hub and in GitHub Packages now contain the prefix "unstable-", for example "unstable-v1.33" instead of "v1.33"
Tailscale v1.32.3
Update instructionsAll Platforms
- Security vulnerability in the Windows client that allows a malicious website to reconfigure the Tailscale daemon
tailscaled
, which can then be used to remotely execute code (CVE-2022-41924, TS-2022-004) - Fixed: Security vulnerability in the client that allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables (CVE-2022-41925, TS-2022-005)
Windows
- Set
Zone.Identifier
alternate data stream for Taildrop files
macOS
- Set
com.apple.quarantine
flag for Taildrop files
Tailscale Funnel
Read more- Tailscale Funnel to route traffic from the wider Internet to your Tailscale nodes (alpha)
Filter machines in admin console with UI filters
- Use UI filters to easily filter devices in the Machines page of the admin console
Webhook event payload additions
- The actor is included in all webhook event payloads
- The key expiration time is included in payloads for expiration-related events
- Slack messages generated for webhook events now have timestamps formatted in the local timezone of the user viewing the message
Tailscale in Azure Marketplace
- Set up billing in Azure with a Tailscale in Azure Marketplace subscription
Tailscale SSH Console
Read more- Create a browser-based SSH session from the admin console to a node on your tailnet (beta)
Tailscale v1.32.2
Update instructionsAbility to change tailnet fun name
- Re-roll tailnet fun name if you want a different fun name and you haven't already used it for HTTPS certificates
Tailscale v1.32.1
Update instructionsFully qualified domain name in API responses
- Changed: In output of Tailscale API calls, a machine's name uses the fully qualified
domain name based on the tailnet name, instead of the previous
format based on the organization name. For
example, a machine name in API output is now
my-server.yak-bebop.ts.net
instead ofmy-server.example.com
. This is a display-only change and doesn't modify the name of any machines.
MagicDNS General Availability
Read more- MagicDNS (generally available)
- Access devices using short hostnames, like
my-server
ordashboard
- Access devices using short hostnames, like
Tailnet name changed
- Tailnets use
.ts.net
instead of.beta.tailscale.net
for the tailnet name- To avoid publicizing your organization name, Tailscale provides you with a tailnet name, which is used by features like MagicDNS, HTTPS, and sharing. The tailnet name is visible in the DNS page of the admin console.
- Previously, you might have used a name ending in
.beta.tailscale.net
. If so, migrate to the new tailnet name. The existingbeta.tailscale.net
name remains supported until at least November 1, 2023. - What we previously called the tailnet name is now called the organization name. The organization name is used by the Tailscale API, and is visible in the Settings page of the admin console.
Configuration audit logging
Read more- Use configuration audit logging to identify who did what, and when, in your tailnet (beta)
NextDNS
Read more- Use NextDNS as a global nameserver
- Configure different NextDNS profiles for different devices using
nodeAttrs
Tailscale v1.32.0
Update instructionsAll Platforms
- Support NextDNS
- Add
tailscaled --no-logs-no-support
(orTS_NO_LOGS_NO_SUPPORT=true
environment variable) tailscale bugreport --record
flag to pause and write another bug report- More in-depth health checks in a bugreport
tailscale netcheck
looks for a captive portal- Build with Go 1.19.2
- IP fragmentation handling as an exit node
- SSH inadvertently closing tmux/etc panes at disconnect
- Always respond to 4via6 ICMP echo requests
- Normalize more process names in Services report
Linux
- Coexist with mwan3 package iptables rule fwmark masks, for OpenWRT
- Add an eBPF helper to pass the first packet on a new flow up to
tailscaled
- Better detect when running in a container
macOS
- Incorrect list of Taildrop target devices
Windows
- Log Windows service diagnostics when the wintun device fails to install
iOS
- Incorrect list of Taildrop target devices
Android
- Show an error when unable to accommodate multiple users
Synology
- envknob support
- Configure-host version parsing
DNS entries for DERP regions for firewalls
- Per-DERP-region DNS entries, such as
derp1-all.tailscale.com
, available for firewall allowlists or other compliance requirements
Key type embedded in keys
- Key type is embedded in new keys, for example,
tskey-auth-012345abcdef
instead oftskey-012345abcdef
Honolulu DERP region
- Honolulu added as a DERP region
Dubai and Warsaw DERP regions
- Dubai and Warsaw added as DERP regions
Check mode supported for nodes provisioned with an auth key
- Nodes provisioned with an auth key can use Tailscale SSH with check mode
Tailscale v1.30.2
Update instructionsAll Platforms
- IPv6-mapped-IPv4 addresses in STUN responses
- Better detect when running in a container
Hong Kong, Madrid, and Toronto DERP regions
- Hong Kong, Madrid, and Toronto added as DERP regions
Los Angeles and Paris DERP regions
- Los Angeles and Paris added as DERP regions
Johannesburg and Miami DERP regions
- Johannesburg and Miami added as DERP regions
Amsterdam and Denver DERP regions
- Amsterdam and Denver added as DERP regions
Tailscale v1.30.1
Update instructionsAll Platforms
- Exit nodes in userspace-networking mode break Chrome v.104 or later IPv6 connectivity
- SIGINT when running in a container without job control
GitOps for Tailscale ACLs
Read more- Sync Tailscale ACLs GitHub Action in GitHub Marketplace to keep your tailnet policy file in Git, and automatically run tests and push changes to Tailscale
Tailscale v1.30
Update instructionsAll Platforms
- Use DNS-over-HTTPS for Mullvad DNS servers
- Report whether a subnet router is running in userspace-networking or kernel mode
- send Tailscale client version number in ACME requests (to Let's Encrypt, for example)
- Report whether host kernel supports IPv6
- Add
tailscale licenses
with link to open source licenses - Delete node immediately if
tailscaled
exists and was usingmem:
state storage - tsnet ephemeral nodes will delete themselves on
Close()
- Add a timeout when writing to BIRD socket
- Clients can use Noise with any HTTPS port with capver 39 (mainly for Headscale)
- 100.100.100.100 will respond with SERVFAIL if there are no upstream resolvers
Linux
- Gracefully handle restarts in resolved support
macOS
- Report variant (App Store, system extension) in the about box
- Fix missing IP address display in the status menu
Windows
- Add native ARM build for backend Tailscale service (only in NSIS installer in this release)
- Update Proxy support
- Notice when group policy entries change and move our NRPT rules between the local and group policy subkeys as needed
- Avoid 2.3 second DNS lookup delay when Smart Name Resolution is enabled by adding MagicDNS names to hosts file
- Disable NetBIOS nameservice on Tailscale interfaces
iOS
- Fix potential crash in notification handling
- Fix dismissing of error indication if a bugreport fails
Android
- Allow coordination server URL to be set. Click the Authentication menu three times quickly to enable
- Fix Google Stadia, Android Auto, GoPro, and Messages RCS with the VPN active
Synology
- Fix
/dev/net
permissions intailscale configure-host
OpenBSD
- Support functioning as a subnet router or exit node using hybrid netstack mode
Other
- Accommodate shared nodes in nginx-auth
- Fix race in derper (Custom DERP servers) with manual certificates
Terraform provider
Read more- Tailscale Terraform provider for managing your Tailscale resources, managed by Tailscale
Share invite links without a label
- Invite links for sharing a device are automatically generated and copied, and no longer requires a label to be generated
Remove ephemeral nodes immediately
Read more- Run
tailscale logout
to remove an ephemeral node from your tailnet immediately
TrueCharts
- TrueCharts has added community support for a TrueNAS SCALE app and Helm chart for Tailscale (Thanks!)
On-demand access integration
- On-demand access integration with ConductorOne, Indent, Opal, and Sym
OneCGNATRoute setting, custom derp server upgrade
- The network policy options section in ACLs now
contains the
OneCGNATRoute
setting which controls the routes that Tailscale clients will generate - Bug that can cause slow connects and a crash in a custom DERP server
in manual cert mode (not using Let's Encrypt). We encourage you to upgrade your
derper
binary. If you use the default Let's Encrypt mode, no action is required
Tailscale SSH supported for shared tagged nodes
- Connect with Tailscale SSH to tagged nodes that are shared with you
Tailscale status page
- View the status of Tailscale services at https://status.tailscale.com/
pfSense
- Netgate has added Tailscale support to the pfSense package repository (Thanks!)
Tailscale v1.28
Update instructionsAll Platforms
- Add
ExitNodeStatus
totailscale status --json
- Fix
tailscale ping -c N
to properly exit after N ping requests even if there are timeouts - MagicDNS recursive resolution now returns
SERVFAIL
if all upstream resolvers fail - portmapper: Send discovery packet for IGD specifically, some routers don't respond to
ssdp:all
Linux
- Implement specific DNS support for AWS, Google Cloud, and Azure to add internal split DNS domain and fallback DNS
macOS
- Use one large 100.64.0.0/10 route entry if there are no other interfaces using CGNAT, to avoid Network Changed errors in browsers where possible
Windows
- Suppress nonfunctional link-local IPv6 addresses on Tailscale interface, PowerShell
ping (hostname)
now works correctly - Set registry values to not send DNS changes concerning our interface to AD domain controllers
- Update Windows split DNS settings to work alongside other NRPT entries set by group policy
- Set
AllowSameVersionUpgrades
attribute onMajorUpgrade
tag in Windows MSI script
iOS
- Add portmapper support for NAT-PMP, PCP, UPnP
- Add MagicDNS support for TCP
- Changed: The minimum iOS version is now iOS 15, which makes substantially more memory available (the App Store will offer Tailscale 1.26.2 for iOS 13 and 14 devices)
Android
- Android can now be an exit node (previously available but hidden)
Tailscale v1.26.2
Update instructionsAll Platforms
tailscaled
being able to restart while mosh-server is running from an SSH session- Make
tailscale up --operator=""
clear a previously set operator
Linux
- Tailscale SSH support with Arch Linux
macOS
- Limit SSH login to 16 groups
Windows
- Make SSH command prefer Windows
ssh.exe
overPATH
iOS
- Try harder to notify for SSH check mode
4via6 subnet routers
- Use 4via6 subnet routers to route traffic when you have existing subnets with overlapping IPv4 addresses (alpha)
DNS records for shared devices
- Sharing a device with a tailnet domain alias now lets the share recipient also use the shared device's
*.ts.net
DNS name
Tailscale SSH
- Use Tailscale SSH to allow Tailscale to manage the authentication and authorization of SSH connections in your tailnet (beta)
- Default ACL now allows users to access their own devices using Tailscale SSH with check mode. This only affects tailnets with default ACLs, including new tailnets and tailnets which have never modified their ACLs
Tailscale v1.26.1
Update instructionsAll Platforms
- Various bugs
Tailscale v1.26
Update instructionsAll Platforms
- Add
--peerapi <peer>
flag intailscale ping
to check connectivity to a peer using the PeerAPI - Add
--timeout <duration>
flag intailscale up
to enforce a maximum amount of time to wait for the Tailscale service to initialize - Allow
LoginInteractive
viaLocalAPI
- MagicDNS supports DNS/TCP and handling IP fragmented UDP frames
- Add an overall 10 second timeout for recursive MagicDNS queries
- Add
Wake-on-LAN
function to PeerAPI. There is no UI for it currently. - Provide
/run.sh
as an entrypoint for Docker container builds - Configured MTU is now consistent between a TUN device and a userspace device
- Refactor
tailscale.com/client/tailscale
package withLocalClient
type - Change MagicDNS "via route" DNS names from "via-SITEID.10.2.3.4" to "10.2.3.4.via-SITEID". The old format will continue to work for the next one or two releases.
- Build with Go 1.18.3
macOS
- Tailscaled-on-macOS now supports MagicDNS, including Split DNS
- Initial release of a standalone macOS client, which is independent of the App Store, in the stable track
Windows
- Add
TS_NOLAUNCH
property to allow admins to deploy silent MSI installs without automatically starting the GUI - MagicDNS lookup of own hostname
- Handle more than 50 Split DNS domains
- Resolve one source of shutdown delay (there may still be more)
Synology
- Allow the NAS disks to hibernate by moving telemetry buffering to tmpfs
- Improve HTTP proxy handling
iOS
- Bug report menu option in the UI
Search, role filtering, and pagination now supported in the Users page
- Search for users and filter based on user role in the Users page
- Pagination when user list is large in the Users page
Standalone macOS build available for testing
macOS
- Initial release of a standalone macOS client, which is independent of the App Store, in the unstable track
Update billing email details in the admin console
- Update billing email address in the Billing page of the admin console
Autogroup:members as a tag owner
autogroup:members
as a tag owner, to enable device tagging by any user who is a direct member (not a shared user) of the tailnet
Format ACLs when saving
- ACLs are automatically formatted when saved from the Access controls page of the admin console or the API
Key expiry range changed
- The allowed expiration range for keys is 1 to 180 days, instead of 3 to 180 days
Update invoice details in the admin console
- Update invoice name and address in the Billing page of the admin console
Tailscale extension for Docker Desktop
- Use the Tailscale extension for Docker Desktop to securely connect to the resources you need for development (beta)
Add all addresses for global DNS nameservers
- When adding common global DNS nameservers, Tailscale will automatically include all IPv4 and IPv6 addresses for that nameserver and treat them as one entity
Validate ACLs in API
- The tailnet ACL validate API call also allows verifying ACL format and running ACL tests, without posting a new ACL
- The tailnet key detail API call includes whether an auth key is pre-authorized
Tailscale v1.24.2
Update instructionsAll Platforms
- Handling of HTTP proxies in certain circumstances
- An issue where the new control plane protocol could fail to make a connection to our servers (#4557)
Synology
- Additional fix in handling of HTTP proxies
Tailscale v1.24.1
Update instructionsAndroid TV support
Android
Tailscale v1.24
Update instructionsAll Platforms
- Initial support for site-relative IPv4 addressing using IPv6
- First for-keepsies deployment of ts2021 protocol
- tsnet now supports providing a custom ipn.StateStore
- Improve netstack performance via better GC tuning
- MagicDNS: PTR records for TS service IPs
- Build with Go 1.18
Linux
- taildrop: add
file get --loop
- taildrop: add
file get --conflict=(skip|overwrite|rename)
- Default to userspace-networking mode on gokrazy
- Set tailscale0 link speed to UNKNOWN, not 1Gbps
- Attempt to load the xt_mark kernel module when it is not present
Windows
- Improve HTTPS proxy handling
Synology
- Improve HTTPS proxy handling
Android
- Android TV support
- Fix and reintroduce Talkback support
FreeBSD
- Portmapping support
Sync Okta groups to use in your Tailscale ACLs
Read moreUpdate tax identification number in the admin console
- Add or modify your tax identification number in the Billing page of the admin console
ACL tests now support group in syntax
- ACL tests now support
group
as an option for thesrc
field, and as thehost
portion of theaccept
anddeny
fields.
ACL tests now support accept/deny syntax
- Policy syntax for ACL tests now supports
accept
/deny
in addition toallow
/deny
when specifying destinations that the ACL rules should accept or deny.
Tailscale v1.22.2
Update instructionsLinux
- Potential crash at startup when using BGP
Windows
- MSI not restarting GUI after MSI-to-MSI upgrade
Tagged nodes no longer need key renewal
Read more- Tagged devices have key expiry disabled by default
Autogroup:members
- ACL rules can use
autogroup:members
to write rules to allow access for users who are direct members (not shared users) of the tailnet
Tailscale v1.22.1
Update instructionsAll Platforms
- In
userspace-networking
mode, always close SOCKS proxied connections
Linux
- Better operation with gokrazy
macOS
- Fix macOS GUI "Must restart" dialog in some cases
Windows
- Fix a Windows NSIS installer bug when upgrading
FreeBSD
- Fix portmapping
Exit node sharing
Auto Approvers for routes and exit nodes
Read more- Auto Approvers for routes and exit nodes to auto-approve advertised routes and exit nodes (beta)
Tailscale v1.22
Update instructionsAll Platforms
- New: DERP Return Path Optimization (DRPO), allows a pair of nodes in different DERP regions to connect more quickly by only requiring one side to connect to the other, cutting down some DERP setup latency
tailscaled --state=mem:
registers as an ephemeral node and does not store state to disktailscale status --json
now showsTags
andPrimaryRoutes
for Peers.PrimaryRoutes
shows whether a HA subnet router is currently the active one.tailscale status --json | jq .TailnetName
will show the name of the tailnet- The optional
tailscaled
debug server's Prometheus metrics exporter now also includes Go runtime metrics tailscaled
supports a newTS_PERMIT_CERT_UID
environment variable containing either a userid or username to allow to fetch Tailscale TLS certificates for the node. This environment variable can be set in/etc/default/tailscaled
to permit non-root web servers on the local machine to fetch certs fromtailscaled
.- Send heartbeats less often, saving some battery, matching v1.20 change on mobile platforms.
--auth-key
and--authkey
both work astailscale up
arguments
Linux
- More robust detection of systemd-resolved
- Efficiently parse extremely large
/proc/net/route
files - Be more helpful in suggesting
tailscale --operator=USER
to use with Taildrop - Some broken host DNS configurations are now detected and reported in
tailscale status
Windows
- MSI installer
- Reject SIDs from deleted/invalid security principals to avoid
failed to look up user from userid
error
Synology
- Add
/var/packages/Tailscale/target/bin/tailscale configure-host
to restore needed permissions. We recommend adding this as a scheduled task at boot.
ACL rules now support src/dst syntax
- Policy syntax for ACL rules now supports
src
/dst
in addition tousers
/ports
when referring to sources and destinations
Preview rules bug fixes
- Preview rules in the admin console does not confuse access for tagged nodes with other tagged nodes (#3957)
- Preview rules no longer shows
autogroup:self
for all tagged nodes - Preview rules no longer shows an error if there is an
autogroup:self
rule
Pre-authorized auth keys
- Generate auth keys that are pre-authorized for device authorization (#2120)
- One-off ephemeral auth keys actually create ephemeral nodes
autogroup:self
for users with mixed case accounts (#3954)
Tailscale v1.20.4
Update instructionsAll Platforms
- DNS lookups via an exit node in many cases
Linux
- Better handling of extremely large
/proc/net/route
files for very large routers - BGP advertisement with subnet router failover
OpenBSD
- openresolv
/etc/resolv.conf
handling
Disable node key expiry via API
- Disable node key expiry via API
- Preview rules in the admin console for tagged nodes
ACL tags General Availability
Read more- ACL tags (generally available)
- You can include tags as part of an authentication key, you can tag devices from the Machines page of the admin console, and tags can be owners of other tags. You must authenticate when re-tagging a device.
- Preview rules in the admin console for a user without any nodes
Tagged devices are managed by a tag, not a user
- A device tagged with an ACL tag is associated with the tag applied to it, not with the user who authenticated the device
- Tagged devices are listed under "Tagged Devices" in the list of Network devices in Tailscale clients
- Users cannot use Taildrop to send files to and from nodes they have tagged
- A user without any nodes can be specified as part of an ACL test
Tailscale v1.20.3
Update instructionsSynology
- UI issues in Synology (Synology 1.20.2 doesn’t have working options page)
Only the Synology client released v1.20.3. All other platforms remain with v1.20.2.
Self-serve Synology packages
- Self-serve Synology packages are now available on pkgs.tailscale.com.
Tailscale v1.20.2
Update instructionsAll Platforms
- Memory footprint growth in userspace-networking mode (netstack: leaking packet buffers tailscale #3762)
- Userspace-networking will accept a TCP SYN with ECN bits set (xt-userspace-networking incoming TCP doesn't always work right away tailscale #2642)
- Saving resolver list for OpenBSD
Delete single user tailnets
- Delete your tailnet from the Settings page of admin console if it only has one user. Contact support for other requests
Tailscale v1.20.1
Update instructionsAll Platforms
- Deadlock in handling the DERP map
Tailscale v1.20
Update instructionsAll Platforms
- When using an exit node, DNS queries will be forwarded to the exit node for resolution
tailscaled
now allows running the outgoing SOCKS5 and HTTP proxies on the same port.- SOCKS5/HTTP proxies now allow connecting via subnet routers & exit nodes when run in
userspace-networking
mode - More debug metrics available
tailscale ip -1
flag- CLI now lets you select exit node by name
- CLI now shows you which nodes are offering exit nodes
- CLI now refuses to let you pick an invalid exit node (when connected)
- Packet filter now supports matching any IP protocol number when enabled in ACLs (previously only TCP, UDP, ICMP and SCTP)
- Added
Online
boolean totailscale status --json
, madetailscale status
show offline nodes - Added
tailscale up --json
- MagicDNS now works over IPv6 when CGNAT IPv4 is disabled using
disableIPv4: true
in ACL - Choose a new DERP relay server if the current DERP is removed from the DERPmap
- Bug fixes, cleanups, log spam reduction
Linux
tailscale file cp
sends via the local tailscaled now, so it now supportstailscaled
running in tun-free,userspace-networking
mode (such as on Synology DSM7 unless you enable TUN mode)
Windows
- GUI support for running an exit node
macOS
- GUI support for running an exit node
iOS
- Send heartbeats less often to conserve battery
Android
- Talkback support
- Menu selection to generate a bug report
- "Allow LAN Access" checkbox in Exit Node menu
- Send heartbeats less often to conserve battery
- Implement DNS config reporting
- No longer require fallback DNS to be configured in admin console
- Report in the UI when connectivity is lost; this functionality was present but broken in prior releases
FreeBSD
- Now supports running in a jail (if devd isn't available, it falls back to network status polling mode)
Auth keys with ACL tags
- Auth keys can include an ACL tag binding, so that when a device is authenticated, the tags are applied
- ACL tags can be applied by an Owner, Admin, or Network admin from the admin console
- A tag can be the owner of another tag
- Auth keys can be generated via API
Tailscale v1.18.2
Update instructionsAll Platforms
- Permit protocols other than TCP, UDP, or SCTP if an ACL rule has a
proto
specified and allows*
port range - Exit node selection takes effect (almost) immediately
Linux
- In DNS DirectManager, allow comments at the end of a line
- Don't get stuck waiting for systemd-resolved to restart in one particular DNS configuration
Synology
Autogroup:self
- ACLs can now use
autogroup:self
to write access rules to allow access to devices authenticated as the same user as the source IP address
Tailscale v1.18.1
Update instructionsLinux
- Regressions on some kernel configs related to our direct use of netlink rather than using the
ip
command to program routes and policy routing
Additional admin roles
Read more- User roles for Network admin, IT admin, and Auditor
ARM and ARM64 container images
- arm and arm64 container images on Docker Hub and in GitHub Packages
Tailscale v1.18
Update instructionsAll Platforms
tailscaled
debug server now exports Prometheus metrics at/debug/metrics
- Improved UPnP discovery so that eero devices now work, allowing a port to be opened for direct connections (also in 1.16.2)
- State machine transition regarding expired key extension
- If unable to upload telemetry, limit amount buffered to 50MB
- Retry more transient DNS errors, instead of passing the failure back to the client
Linux
- Support storing Tailscale state using AWS SSM (for example,
tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo
) (thank you Maxime Visonneau) - If resolvconf wrote
/etc/resolv.conf
but pointed it tosystemd-resolved
, usesystemd-resolved
for DNS not resolvconf - If NetworkManager wrote
/etc/resolv.conf
but pointed it tosystemd-resolved
, usesystemd-resolved
for DNS not NetworkManager - Handle
/etc/resolv.conf
being a bind mount into a container, such that we cannotrename()
it. - Work around Ubuntu 18.04 setLinkDomain length limit by omitting reverse lookup information
- Use AF_NETLINK messages to configure IP, not the
ip
command. SetTS_DEBUG_USE_IP_COMMAND
environment variable to revert to use of/sbin/ip
if this breaks your device
iOS
- On iOS 15+, where Network Extensions have more memory available, allow the same number of DNS-over-HTTPS requests in flight as other platforms
Synology
- Only use AmbientCaps on DSM7+
Homebrew
- Available as a formula in Homebrew (Thanks!)
Okta Integration Network
- Available in the Okta Integration Network
Suspended and inactive users
- Users can be suspended and restored from the Users page of the admin console
- Users who are inactive are shown in Users page of the admin console
IPv4 addresses for ephemeral nodes
- Ephemeral nodes now have both IPv6 and IPv4 addresses
Synology Package Center
Read more- Officially supported in the Synology package center
Published container image
Read more- Published Tailscale container image available on Docker Hub and in GitHub Packages
Authentication settings
Read more- Enable device authorization from the Settings page of admin console
- Set key expiry from the Settings page of admin console
Tailscale v1.16
Update instructionsAll Platforms
- Support storage of node state as a Kubernetes secret.
tailscale up --authkey=file:/path/to/secret
supporttailscale up --qr
for QR codes- tailscaled in userspace-networking mode can now run an HTTP proxy server (in addition to the prior SOCKS5 proxy server support)
- No longer need the
while tailscale up; do sleep 0.1; done
loops in Docker startup scripts. - CPU/memory profiling support in
tailscale debug
- Bake in LetsEncrypt's ISRG Root X1 root (also in 1.14.6)
Linux
- Support containers with !CAP_NET_RAW and !CAP_NET_ADMIN (like CircleCI runners)
- Service (portlist) scanning optimized; uses much less CPU on busy servers
Windows
- Move state to C:\ProgramData (also in 1.14.4)
macOS
- Super rare Wireguard packet loop network flood when using a DNS server behind a subnet router, when a macOS device resumes from sleep and the network changes (also iOS, but triggers less there). Fixes #1526 (also in 1.14.6).
iOS
- Turn the radio on less often to improve battery performance
Android
- Support Taildrop on older Android releases
- Turn the radio on less often to improve battery performance
QR code for login link
- Specify
--qr
as part oftailscale up
to generate a QR code for the login URL
Service Updates
Update instructionsAll Platforms
- Include Let's Encrypt's ISRG Root X1 root as an alternate to try if the platform roots fail
- If tailscale cert fails because it needs to be run as root, say so.
- Avoid looping packets in tstun, believed to fix #1526
- Allow SOCKS5 proxy for
--tun=userspace-networking
to dial the HTTPS domain name of the Tailnet - Ensure state directory is set to perm 0700.
iOS
- Ignore ipsec link monitor events for iOS to avoid waking the system
Service Updates
Update instructionsWindows
- Move state files from C:\Windows to C:\ProgramData, to better handle Windows
Synology
- Fix segfaults shortly after starting, resolves #2733
HTTPS certificates
Read more- Provision TLS certificates for devices in your tailnet (beta)
Community on GitHub plan
Read more- Free Community on GitHub pricing plan for GitHub organizations using Tailscale for open source projects, families, and friends
Tailscale v1.14.3
Update instructionsAll Platforms
tailscale up
will wait for the socket to tailscaled to be created, not exit with an error. It should no longer be necessary to run it in a loop.- Crash in TCP forwarding with userspace-networking; resolves #2658
Windows
- Default route lookup on Windows; resolves #2707
Note: v1.14.1 and v1.14.2 were never released.
Device authorization by API
Read more- Device authorization is available in the API
GitHub Actions marketplace
Read more- Connect Tailscale action available in GitHub Marketplace