Changelog

• New: Use the Tailscale Kubernetes operator to expose a Kubernetes cluster to your tailnet and securely connect to the Kubernetes control plane (alpha)

• New: Apple TV GA (generally available)
  • Use an Apple TV to access your media server content remotely, route Apple TV traffic through an exit node, or advertise Apple TV as an exit node

All platforms

• Fixed: Stability improvements for Mullvad Exit Nodes, particularly for users on IPv4-only networks

• New: Use Mullvad Exit Nodes to have Mullvad VPN endpoints as exit nodes for your Tailscale network (beta)
• New: “Enable Mullvad VPN for tailnet” and “Disable Mullvad VPN for tailnet” are logged as configuration audit logging events when Mullvad Exit Nodes are enabled or disabled, respectively

• Changed: The Active status filter option in the Users page of the admin console is removed. Use the Billing page to track your active users instead.
• Changed: The Inactive badge and status filter option in the Users page of the admin console is renamed Idle

All platforms

• Fixed: Fix a security vulnerability in UPnP port mapping (TS-2023-006)

Linux

• Fixed: Resolve nftables interaction between Tailscale and UFW which resulted in blocking subnet routed traffic

Synology

• Fixed: Determine correct CPU architecture in tailscale update (#8927)

• New: User & group provisioning for Azure AD (beta)
  • Sync Azure AD groups to use in your Tailscale ACLs

• New: Use the Tailscale GitLab CI/CD configuration to access devices in your tailnet directly from your GitLab Runner

• New: View and interact with machines on your tailnet within the Tailscale extension for Visual Studio Code. Powered by Tailscale SSH, you can remotely manage files, open terminal sessions, or attach remote VS Code sessions.

• New: Use private endpoints (beta) in your tailnet for log streaming

• New: autogroup:tagged to refer to all tagged nodes in a tailnet

All platforms

• Fixed: Issue with tailnet lock signature verification

Linux

• Fixed: Crash issue on ARM64

Android

• Fixed: DNS and subnet routes issue

• New: Syntax for autogroups now supports autogroup:member in addition to autogroup:members when referring to all users in a tailnet

• New: The logs:read OAuth scope can be used to grant API access to configuration audit logs
• New: The network-logs:read OAuth scope can be used to grant API access to network flow logs

• New: The tailnet policy file validation endpoint will now return warnings about SCIM synced groups in addition to errors in the response object. These will be the same warnings you would have seen visually in the admin console if you had tried to save that policy file. See the user and group provisioning documentaiton for more detail.

All platforms

• Fixed: Handling of custom HTTP ports in tailscale serve

Windows

• Changed: Restore support for Microsoft Windows 7 and Microsoft Windows 8.x.
  Tailscale v1.44.2 will be the last release to support the following operating systems: Microsoft Windows 7, Microsoft Windows 8, Microsoft Windows Server 2008, and Microsoft Windows Server 2012.

• New: Use Panther Labs (beta) for Log streaming

Android

• Fixed: Various bugs and improvements

• Changed: Updated Terms of Service
• Changed: Updated Privacy Policy

• New: Nairobi added as a DERP region

• New: Description field is added to the Generate auth key dialog in the Keys page of the admin console
• New: Description field is added to the Generate access token dialog in the Keys page of the admin console
• New: Description field is added to the Generate OAuth client dialog in the OAuth clients page of the admin console

Note: This is the last release to support the following operating systems:

• macOS 10.13 High Sierra
• macOS 10.14 Mojave

Tailscale releases after 1.44.0 will no longer install on these operating systems, though we expect to maintain forward compatibility and critical security updates for 1.44.0 with future releases until at least June 30, 2024.

All platforms

• New: tailscale serve http command to serve over HTTP (tailnet only)
• New: tailscale ssh command now supports remote port forwarding
• New: Recursive DNS resolution is now initially supported to replace bootstrapDNS when operating in a parallel mode
• Changed: Build with Go 1.20.5
• Changed: --tun-userspace-networking stability improvements for userspace subnet routers
• Changed: MagicSock private addresses are given preference when both private and public are available, to help keep traffic in private VPCs, where possible
• Changed: Async support is removed from the portlist package. Update to use synchronous Poll() if this breaks your package.
• Changed: WatchIPNBus now only requires read-only permissions to read
• Changed: tailscale cert renewal decision is now based on the lifetime of the certificate instead of hard-coded. This better supports 14 day certificate lifetimes.

Linux

• Changed:tailscale ssh support improvements for Security-Enhanced Linux (SELinux) systems
• Changed:tailscale ssh supports user names with up to 256 characters
• Changed: build_dist.sh better supports operating systems and CPU architectures which Tailscale release builds do not include
• Changed: The iputils package can now be installed on Alpine-based Docker containers

Windows

• Fixed: PreferGo supports better DNS caching

macOS

• Fixed: ICMP6 forwarding works as expected when running as a subnet router

FreeBSD

• Fixed: ICMP6 forwarding works as expected when running as a subnet router

OpenBSD

• Fixed: ICMP6 forwarding works as expected when running as a subnet router

WASI

• Fixed: tsnet applications compiled to WebAssembly are now better supported

• New: The Tailscale app for QNAP is now available in the QNAP App Center

• Fixed: IPv6 addresses can now be directly specified in ACL rules and tests.

• New: Codeberg and Gitea supported as custom OIDC providers

• Changed: When logging in to a node that has an expired key in a tailnet that has enabled Tailnet lock, an error message is returned, directing you to reauthenticate instead of logging in, or to delete the machine from within the admin console before logging in again

• Changed: Manage tailnet lock from the Device management page of the admin console, when enabled
• Changed: Improved UI for tailnet lock settings in the Machines page of the admin console

Note: This is the last release to support the following operating systems:

• Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows Server 2008
• Microsoft Windows Server 2012

Tailscale releases after 1.42.0 will no longer install on these operating systems, though we expect to maintain forward compatibility and critical security updates for 1.42.0 with future releases until at least May 31, 2024.

Note: Do not install this version of the Tailscale client on macOS 10.13. Upgrade to version 1.44.0 instead.

All platforms

• New: tailscale serve reset command to clear out the current serve configuration
• Changed: Update internal DNS handling to better support mixtures of global and private DNS servers

Linux

• Fixed: SSH login on platforms which lack getent

Windows

Note: This release switches to a new application signing certificate, which is valid through 2025.

• Changed: Notification icons are updated

macOS

• Changed: Update Sparkle to check more regularly
• Fixed: Taildrop delivery of incomplete files

iOS

• New: Delete Account button to redirect to the admin panel
• Changed: Better handle memory management to avoid hitting 50 MByte memory limit

Unraid

• New: Support Unraid as a NAS platform similar to how Synology and QNAP are handled

Kubernetes

• New: Support for priorityClassName

• New: Webhook events are available in formats for Discord and Mattermost

• New: Use Tailscale SSH session recording to stream Tailscale SSH session logs to a designated node in your tailnet (beta)

Linux

• New: Tailscale SSH is now supported for LDAP users
• Fixed: Support for Tailscale SSH session recording to a local file is restored
• Fixed: Debian and RPM packages for MIPS architecture generate as expected

Windows

• Changed: Notification icons are updated
• Fixed: The 32-bit Windows installer for the Tailscale client works as expected

macOS

• Fixed: tailscale cert command no longer causes timeout failures

Kubernetes

• Fixed: The Tailscale version displays in the startup logs

• New: Authelia is now available as a custom OIDC provider (beta)

• New: Apple is now available as a supported SSO identity provider, for all plans

• New: Use Search Domains to configure DNS for accessing network resources without having to specify the full domain path (beta)

All platforms

• Changed: tailscale up --force-reauth will now display a warning and 5 second countdown if you are connected over SSH over Tailscale, unless --accept-risk=lose-ssh is also given
• Changed: Tailscale now dynamically increases the buffer size for DERP relay messages based on the amount of available RAM (#7776)
• Changed: Improvements were made to how Tailscale advertises available endpoints to reduce the likelihood of a spurious loss of direct connections (#7877)

Linux

• Changed: Substantially higher throughput—for details, see Surpassing 10Gb/s over Tailscale
• Changed: Improved CPU consumption on systems with a very large (1M+) routing table

Windows

• Changed: Redo migration of pre-Fast-User-Switching state for better robustness

macOS

• Changed: “Settings” replaces “Preferences” as a menu item on macOS Ventura

Android

• New: Added intents com.tailscale.ipn.CONNECT_VPN and com.tailscale.ipn.DISCONNECT_VPN

gokrazy

• New: Tailscale SSH now works

QNAP

• Fixed: UI failure after reboot

• Changed: The Machines page of the admin console has been updated to use Version as a column heading instead of OS, and to show the Tailscale client version prior to the operating system name

• New: Sync Tailscale ACLs GitLab CI Template to keep your tailnet policy file in GitLab, and automatically run tests and push changes to Tailscale

• New: autogroup:billing-admin and autogroup:auditor added as autogroups

• New: autogroup:admin, autogroup:it-admin, autogroup:network-admin, and autogroup:owner added as autogroups

• New: Click on a machine’s IP address in the Machines page of the admin console to display a machine address copy card. Within the machine address card, click to copy the MagicDNS name, IPV4 address, or IPV6 address of the machine to your clipboard.

All platforms

• Changed: Build with Go 1.20.3 to address security fixes (CVE-2023-24537, CVE-2023-24538, CVE-2023-24534, and CVE-2023-24536). These address potential DoS attacks against DNS over HTTPS and Funnel that can occur over the public internet, and PeerAPI attacks launched from other nodes already on the tailnet.
• Changed: Added path support for proxy targets with tailscale serve
• Fixed: Error displays when trying to use Funnel and tailscale up --shields-up simultaneously

Windows

• Fixed: When connected to a Windows 10 client using Windows RDP, the Tailscale taskbar right-click option for the remote client works as expected (#7698)

• New: “Log in using the web interface” and “Log out using the web interface” are logged as Configuration audit logging events for the Member user role. These events differentiate logins from users with access to the admin console.

• Changed: Tailnet lock works with shared nodes and Tailscale SSH console

• Changed: Tailscale Funnel (beta)
  • Route traffic from the wider internet to one or more of your Tailscale nodes.

All platforms

• New: Support for stripping HTTP request paths from Funnel proxy routes (#6571)
• Changed: Tailscale Funnel is now beta
• Fixed: tailscale serve issue that did not use actual SrcAddr as X-Forwarded-For

Linux

• Fixed: Certificate storage issue that did not actually use Kubernetes secrets

Windows

• Changed: Upgraded the Walk framework for the GUI client to improve menu responsiveness

• New: Invite multiple users at once and administer invites from the Users page of the admin console
• New: “Invite user to join tailnet” is logged as a Configuration audit logging event

All platforms

• Changed: tailscale lock tskey-wrap has been replaced by tailscale lock sign
• Changed: tailscale lock sign now supports signing auth keys

Linux

• Fixed: --tun=userspace-networking issue running in Azure App Services

macOS

• New: Sparkle automatically checks updates for the standalone package. This does not impact the App Store package.

FreeBSD

• Fixed: Issue setting the effective group ID on some non-interactive Tailscale SSH sessions. This issue is specific to FreeBSD’s implementation of setgroups and does not impact other platforms.

• New: Create multi-use invite links in the Machines page of the admin console, for sharing nodes

All platforms

• New: tailscale configure command to configure resources that you want to include in your tailnet
• New: tailscale lock sign to sign pre-approved auth keys for use with tailnet lock
• New: tailscale debug derp command to help diagnose DERP-related difficulty
• New: tailscale debug capture command to write packet capturing for debugging
• Changed: The tailscale debug portmap command replaces tailscaled debug -portmap. This is now available on platforms without a tailscaled binary (like the macOS App Store).
• Changed: tailscale serve command has been overhauled
• Changed: tailscale serve funnel has been made into its own command, tailscale funnel
• Fixed: Several improvements to UPnP port mapping have been made that allow it to work with a broader set of home routers

Linux

• New: Certificates can be stored in Kubernetes secret storage

Windows

• New: MSI installers start the GUI without user interaction to allow remote upgrades

macOS

• New: Notification upon node key expiration (only on macOS 10.14 and later)
• New: Tailscale SSH server component is available for macOS open source Tailscale + tailscaled CLI devices

iOS

• New: Support for alternate control servers by setting the URL in Settings page of the admin console

Android

• Fixed: Chromecast support while Tailscale is active

Note: v1.38.0 was never released.

• New: Use user approval to require an admin to approve a user before they can join a tailnet (beta)
• New: Enable user approval for tailnet, Disable user approval for tailnet, and Approve user actions are logged as Configuration audit logging events
• New: userNeedsApproval and userApproved events are available as webhook events

• New: Device management section is added to the Settings page of the admin console
• New: User management section is added to the Settings page of the admin console
• Changed: Feature Previews section is removed from the Settings page of the admin console. All feature previews are now located in the General page.
• Changed: Identity Provider and User & Group Provisioning options are moved from the General page to the User management page of the admin console
• Changed: Device Approval and Key Expiry options are moved from the General page to the Device management page of the admin console
• Changed: Billing drop-down option for logged in users is removed from the admin console. Use the Billing section in the General page instead.

• Changed: Docker Desktop extension (generally available)
  • Use the Tailscale extension for Docker Desktop to securely connect to the resources you need for development

• New: userRoleUpdated webhook event is now generated when a user role is changed

• New: webhookUpdated and webhookDeleted events are now generated when a webhook is updated or deleted. These events are subscribed by default and cannot be disabled.

• Changed: “Device approval” replaces “Device authorization” as the name of the feature in the General settings page of the admin console
• Changed: “Needs approval” replaces “Needs authorization” in the Disabled filter of the Machines page
• Changed: “Pre-approved” replaces “Pre-authorized” in the Generate auth key dialog of the Keys page
• Changed: “nodeApproved” replaces “nodeAuthorized” in webhook events
• Changed: “nodeNeedsApproval” replaces “nodeNeedsAuthorization” in webhook events
• Changed: “Enable device approval for tailnet” replaces “Enable device authorization for tailnet” in Configuration audit logging events
• Changed: “Disable device approval for tailnet” replaces “Disable device authorization for tailnet” in Configuration audit logging events
• Changed: “Approve node” replaces “Authorize node” in Configuration audit logging events

• New: userCreated event in the Tailnet management category when a user is created

• Changed: Configuration audit logging (generally available)
  • Identify who did what, and when, in your tailnet

• Changed: Accept invite for feature events in configuration audit logs no longer include the acceptor in the sharer’s logs

• New: Use OAuth clients to provide delegated fine-grained access to the Tailscale API (beta)

• New: Automate tasks with Tailscale actions for iOS and macOS Shortcuts

All Platforms

• New: --json flag for the tailscale lock status and tailscale lock log commands
• New: --json flag for the tailscale version command
• New: tailscale update command to update client
• New: tailscale debug daemon-logs to watch server logs
• Changed: tailscale status --json now includes KeyExpiry time and Expired boolean on nodes
• Changed: tailscale version now advertises when you’re on the unstable (dev) track
• Changed: (Unix platforms) When /etc/resolv.conf needs to be overwritten for lack of options, a comment in the file now links to https://tailscale.com/s/resolvconf-overwrite
• Fixed: Tailscale SSH: SSH to tailscaled as a non-root user works again, as long as you only SSH to the same user that tailscaled is running as
• Fixed: Handle cases where a node expires and we don’t receive an update about it from the control server (#6929 and #6937)
• Fixed: Support UPnP port mapping of gateway devices where they are deployed as a highly available pair (#6946)
• Fixed: Support arbitrary IP protocols like EOIP and GRE (#6423)
• Fixed: Exit node handling of a large number of split DNS domains (#6875)
• Fixed: Accept DNS-over-TCP responses up to 4K bytes (#6805)

Linux

• New: Add build support for Loongnix CPU architecture
• Changed: Improved throughput performance on Linux (#6663)

macOS

• New: Tailscale actions (connect, disconnect, switch profile, use exit node) are available in the Shortcuts app (read the blog post)
• Fixed: Tailscale traffic looping upon certain sleep/resume/Wi-Fi change transitions (#5156)

iOS

• New: Tailscale actions (connect, disconnect, use exit node) are available in the Shortcuts app
• Fixed: Tailscale using cellular data even after Wi-Fi becomes available (#6565)

Windows

• Changed: Add a more robust mechanism to remove WinTun (#6433)
• Changed: Update taskbar menu radio button implementation

Android

• Changed: New version of the Gio UI library with internationalization and accessibility fixes
• Changed: Allow Sonos app to discover local devices while Tailscale is connected

Synology

• New: Show whether outgoing connections are configured in the web UI

Containers

• New: Run in a Kubernetes environment without setting TS_KUBE_SECRET (#6704)

OpenBSD

• New: Tailscale SSH runs on OpenBSD

• New: UI functionality to delete the legacy beta.tailscale.net nameserver if you are no longer using it

• New: Available as an application in Scoop in Extras bucket

• Changed: Updated Terms of service
• Changed: Updated Privacy policy
• New: Data Privacy Addendum and list of subprocessors

Linux

• Fixed: Handling of a very large number of SplitDNS domains with an exit node

macOS

• Fixed: UI glitch with macOS 10.14 and 10.13

Windows

• Fixed: Custom server URL from registry key support

Synology

• Fixed: Crashes manifesting on ARM-based platforms and models with very old kernels

• Changed: Access your tailnet from GitHub Codespaces using Tailscale as a feature in a dev container (Thanks Ross Light!)

• Changed: User & group provisioning for Okta (generally available)
  • Sync Okta groups to use in your Tailscale ACLs
• New: nodeID included in all node-related webhook event payloads

• New: Use tailnet lock to require your nodes to verify node keys distributed by the coordination server before trusting them (alpha)

Linux

• Fixed: Unit tests on systems using busybox ip
• Fixed: Regression handling TS_STATE_DIR in containerboot

macOS

• Fixed: Issue which could fail to save the key for tailscale serve (#6409)
• Fixed: Issue which could cause crash when interfaces change (#6641)

Windows

• Fixed: Common cause of an issue with Tailscale SSH (#6639)

• New: Use the admin console to export a list of devices and export a list of users in your tailnet

All Platforms

• New: tailscale switch command to switch between accounts using fast user switching
• New: tailscale login command to login with a specified account
• New: tailscale set command to modify configuration settings without needing to repeat the others
• New: tailscale lock command to manage tailnet lock for your tailnet
• New: Additional 4via6 DNS name format, Q-R-S-T-via-X (or Q-R-S-T-via-X.yak-bebop.ts.net), for systems that required dashes instead of dots
• Changed: Display decoded punycode hostnames in status list
• Changed: Warn in tailscale status health and tailscale up if there are nodes advertising routes but --accept-routes=false

Linux

• New: Add fast user switching using tailscale login and tailscale switch
• Changed: Warn in tailscale status health if something else overwrites /etc/resolv.conf

macOS

• New: Add fast user switching by selecting the desired tailnet from the Tailscale icon in the menubar, or via the tailscale login and tailscale switch commands

Windows

• New: Add fast user switching by selecting the desired tailnet from the Tailscale icon in the taskbar, or via the tailscale login and tailscale switch commands
• New: Use named pipes to communicate between UI and Service
• Changed: Move state storage responsibility from frontend to backend. The current state is migrated, this should not be a noticeable change.
• Changed: Switch to wingoes for OLE support, use multithreaded apartment
• Changed: Received Taildrop files get placed in the C:\Users\(username)\Downloads directory (previously they were placed in the C:\Users\(username)\Desktop directory)

Android

• Fixed: Allow Sonos app to discover speakers on the local LAN

Synology

• Fixed: Better detect DSM version, locate local socket correctly

Containers

• Changed: Replace run.sh with cmd/containerboot

FreeBSD

• New: Support for Tailscale SSH (Thanks Pat Maddox!)

• New: Set contact preferences in the Contact Preferences page of the admin console for notifications about account changes, configuration issues, security issues, and billing
• New: Contact preference updates and verifications are included in configuration audit logs

• New: Create invitations for feature previews in the General settings page of the admin console

• Changed: Tailscale unstable images on Docker Hub and in GitHub Packages now contain the prefix “unstable-”, for example “unstable-v1.33” instead of “v1.33”

All Platforms

• Fixed: Security vulnerability in the Windows client that allows a malicious website to reconfigure the Tailscale daemon tailscaled, which can then be used to remotely execute code (CVE-2022-41924, TS-2022-004)
• Fixed: Security vulnerability in the client that allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables (CVE-2022-41925, TS-2022-005)

Windows

• Changed: Set Zone.Identifier alternate data stream for Taildrop files

macOS

• Changed: Set com.apple.quarantine flag for Taildrop files

• New: Tailscale Funnel to route traffic from the wider Internet to your Tailscale nodes (alpha)

• New: Use UI filters to easily filter devices in the Machines page of the admin console

• New: The actor is included in all webhook event payloads
• New: The key expiration time is included in payloads for expiration-related events
• Changed: Slack messages generated for webhook events now have timestamps formatted in the local timezone of the user viewing the message

• New: Set up billing in Azure with a Tailscale in Azure Marketplace subscription

• New: Create a browser-based SSH session from the admin console to a node on your tailnet (beta)

• Changed: MagicDNS (generally available)
  • Access devices using short hostnames, like my-server or dashboard

• Changed: Tailnets use .ts.net instead of .beta.tailscale.net for the tailnet name
  • To avoid publicizing your organization name, Tailscale provides you with a tailnet name, which is used by features like MagicDNS, HTTPS, and sharing. The tailnet name is visible in the DNS page of the admin console.
  • Previously, you might have used a name ending in .beta.tailscale.net. If so, migrate to the new tailnet name. The existing beta.tailscale.net name remains supported until at least November 1, 2023.
  • What we previously called the tailnet name is now called the organization name. The organization name is used by the Tailscale API, and is visible in the Settings page of the admin console.

• New: Use configuration audit logging to identify who did what, and when, in your tailnet (beta)

• New: Per-DERP-region DNS entries, such as derp1-all.tailscale.com, available for firewall allowlists or other compliance requirements

• Changed: Key type is embedded in new keys, for example, tskey-auth-012345abcdef instead of tskey-012345abcdef

• New: Honolulu added as a DERP region

• New: Dubai and Warsaw added as DERP regions

• New: Hong Kong, Madrid, and Toronto added as DERP regions

• New: Los Angeles and Paris added as DERP regions

• New: Johannesburg and Miami added as DERP regions

• New: Amsterdam and Denver added as DERP regions

All Platforms

• Fixed: Exit nodes in userspace-networking mode break Chrome v.104 or later IPv6 connectivity
• Fixed: SIGINT when running in a container without job control

• New: Sync Tailscale ACLs GitHub Action in GitHub Marketplace to keep your tailnet policy file in Git, and automatically run tests and push changes to Tailscale

• New: Recently expired and revoked auth keys and API keys are now shown on the Keys page of the admin console

All Platforms

• New: Use DNS-over-HTTPS for Mullvad DNS servers
• New: Report whether a subnet router is running in userspace-networking or kernel mode
• New: send Tailscale client version number in ACME requests (to Let’s Encrypt, for example)
• New: Report whether host kernel supports IPv6
• New: Add tailscale licenses with link to open source licenses
• Changed: Delete node immediately if tailscaled exists and was using mem: state storage
• Changed: tsnet ephemeral nodes will delete themselves on Close()
• Changed: Add a timeout when writing to BIRD socket
• Changed: Clients can use Noise with any HTTPS port with capver 39 (mainly for Headscale)
• Fixed: 100.100.100.100 will respond with SERVFAIL if there are no upstream resolvers

Linux

• Fixed: Gracefully handle restarts in resolved support

macOS

• Changed: Report variant (App Store, system extension) in the about box
• Fixed: Fix missing IP address display in the status menu

Windows

• New: Add native ARM build for backend Tailscale service (only in NSIS installer in this release)
• Changed: Update Proxy support
• Changed: Notice when group policy entries change and move our NRPT rules between the local and group policy subkeys as needed
• Fixed: Avoid 2.3 second DNS lookup delay when Smart Name Resolution is enabled by adding MagicDNS names to hosts file
• Fixed: Disable NetBIOS nameservice on Tailscale interfaces

iOS

• Fixed: Fix potential crash in notification handling
• Fixed: Fix dismissing of error indication if a bugreport fails

Android

• New: Allow coordination server URL to be set. Click the Authentication menu three times quickly to enable
• Fixed: Fix Google Stadia, Android Auto, GoPro, and Messages RCS with the VPN active

Synology

• Fixed: Fix /dev/net permissions in tailscale configure-host

OpenBSD

• New: Support functioning as a subnet router or exit node using hybrid netstack mode

Other

• Fixed: Accommodate shared nodes in nginx-auth
• Fixed: Fix race in derper (Custom DERP servers) with manual certificates

• New: Tailscale Terraform provider for managing your Tailscale resources, managed by Tailscale

• Changed: Invite links for sharing a device are automatically generated and copied, and no longer requires a label to be generated

• New: Run tailscale logout to remove an ephemeral node from your tailnet immediately

• New: TrueCharts has added community support for a TrueNAS SCALE app and Helm chart for Tailscale (Thanks!)

• New: On-demand access integration with ConductorOne, Indent, Opal, and Sym

• New: The network policy options section in ACLs now contains the OneCGNATRoute setting which controls the routes that Tailscale clients will generate
• Fixed: Bug that can cause slow connects and a crash in a custom DERP server in manual cert mode (not using Let’s Encrypt). We encourage you to upgrade your derper binary. If you use the default Let’s Encrypt mode, no action is required

• New: Connect with Tailscale SSH to tagged nodes that are shared with you

• New: View the status of Tailscale services at https://status.tailscale.com/

All Platforms

• Fixed: tailscaled being able to restart while mosh-server is running from an SSH session
• Fixed: Make tailscale up --operator="" clear a previously set operator

Linux

• Fixed: Tailscale SSH support with Arch Linux

macOS

• Changed: Limit SSH login to 16 groups

Windows

• Changed: Make SSH command prefer Windows ssh.exe over PATH

iOS

• Changed: Try harder to notify for SSH check mode

• New: Use Tailscale SSH to allow Tailscale to manage the authentication and authorization of SSH connections in your tailnet (beta)
• Changed: Default ACL now allows users to access their own devices using Tailscale SSH with check mode. This only affects tailnets with default ACLs, including new tailnets and tailnets which have never modified their ACLs

All Platforms

• Fixed: Various bugs

All Platforms

• New: Add --peerapi <peer> flag in tailscale ping to check connectivity to a peer using the PeerAPI
• New: Add --timeout <duration> flag in tailscale up to enforce a maximum amount of time to wait for the Tailscale service to initialize
• New: Allow LoginInteractive via LocalAPI
• New: MagicDNS supports DNS/TCP and handling IP fragmented UDP frames
• New: Add an overall 10 second timeout for recursive MagicDNS queries
• New: Add Wake-on-LAN function to PeerAPI. There is no UI for it currently.
• New: Provide /run.sh as an entrypoint for Docker container builds
• Fixed: Configured MTU is now consistent between a TUN device and a userspace device
• Changed: Refactor tailscale.com/client/tailscale package with LocalClient type
• Changed: Change MagicDNS “via route” DNS names from “via-SITEID.10.2.3.4” to “10.2.3.4.via-SITEID”. The old format will continue to work for the next one or two releases.
• Changed: Build with Go 1.18.3

macOS

• New: Tailscaled-on-macOS now supports MagicDNS, including Split DNS
• New: Initial release of a standalone macOS client, which is independent of the App Store, in the stable track

Windows

• New: Add TS_NOLAUNCH property to allow admins to deploy silent MSI installs without automatically starting the GUI
• Fixed: MagicDNS lookup of own hostname
• Fixed: Handle more than 50 Split DNS domains
• Fixed: Resolve one source of shutdown delay (there may still be more)

Synology

• New: Allow the NAS disks to hibernate by moving telemetry buffering to tmpfs
• Changed: Improve HTTP proxy handling

iOS

• New: Bug report menu option in the UI

• New: Search for users and filter based on user role in the Users page
• New: Pagination when user list is large in the Users page

macOS

• New: Initial release of a standalone macOS client, which is independent of the App Store, in the unstable track

• New: Update billing email address in the Billing page of the admin console

• Changed: The allowed expiration range for keys is 1 to 180 days, instead of 3 to 180 days

• New: Update invoice name and address in the Billing page of the admin console

• New: Use the Tailscale extension for Docker Desktop to securely connect to the resources you need for development (beta)

• Changed: When adding common global DNS nameservers, Tailscale will automatically include all IPv4 and IPv6 addresses for that nameserver and treat them as one entity

• Changed: The tailnet ACL validate API call also allows verifying ACL format and running ACL tests, without posting a new ACL
• Changed: The tailnet key detail API call includes whether an auth key is pre-authorized

All Platforms

• Fixed: Handling of HTTP proxies in certain circumstances
• Fixed: An issue where the new control plane protocol could fail to make a connection to our servers (#4557)

Synology

• • Fixed: Additional fix in handling of HTTP proxies

All Platforms

• Fixed: Two issues where the new control plane protocol could fail to make a connection to our servers (#4544, #4538)
• Fixed: Set TCP keep-alives in userspace-networking subnet router to avoid connection leaks (#4522)
• Fixed: Avoid using the LTE radio after transition to Wi-Fi

Android

• New: Run Tailscale on Android TV

All Platforms

• New: Initial support for site-relative IPv4 addressing using IPv6
• New: First for-keepsies deployment of ts2021 protocol
• New: tsnet now supports providing a custom ipn.StateStore
• Fixed: Improve netstack performance via better GC tuning
• Fixed: MagicDNS: PTR records for TS service IPs
• Changed: Build with Go 1.18

Linux

• New: taildrop: add file get --loop
• New: taildrop: add file get --conflict=(skip|overwrite|rename)
• Changed: Default to userspace-networking mode on gokrazy
• Changed: Set tailscale0 link speed to UNKNOWN, not 1Gbps
• Changed: Attempt to load the xt_mark kernel module when it is not present

Windows

• Fixed: Improve HTTPS proxy handling

Synology

• Fixed: Improve HTTPS proxy handling

Android

• New: Android TV support
• Fixed: Fix and reintroduce Talkback support

FreeBSD

• Fixed: Portmapping support

• New: Add or modify your tax identification number in the Billing page of the admin console

• New: ACL tests now support group as an option for the src field, and as the host portion of the accept and deny fields.

• New: Policy syntax for ACL tests now supports accept/deny in addition to allow/deny when specifying destinations that the ACL rules should accept or deny.

Linux

• Fixed: Potential crash at startup when using BGP

Windows

• Fixed: MSI not restarting GUI after MSI-to-MSI upgrade

• New: Use Caddy to manage Tailscale HTTPS certificates

All Platforms

• Fixed: In userspace-networking mode, always close SOCKS proxied connections

Linux

• Fixed: Better operation with gokrazy

macOS

• Fixed: Fix macOS GUI “Must restart” dialog in some cases

Windows

• Fixed: Fix a Windows NSIS installer bug when upgrading

FreeBSD

• Fixed: Fix portmapping

• New: Share an exit node (beta)

• New: Policy syntax for ACL rules now supports src/dst in addition to users/ports when referring to sources and destinations

All Platforms

• Fixed: DNS lookups via an exit node in many cases

Linux

• Fixed: Better handling of extremely large /proc/net/route files for very large routers
• Fixed: BGP advertisement with subnet router failover

OpenBSD

• Fixed: openresolv /etc/resolv.conf handling

• New: Disable node key expiry via API
• Fixed: Preview rules in the admin console for tagged nodes

• Changed: ACL tags (generally available)
  • You can include tags as part of an authentication key, you can tag devices from the Machines page of the admin console, and tags can be owners of other tags. You must authenticate when re-tagging a device.
• Fixed: Preview rules in the admin console for a user without any nodes

• Changed: A device tagged with an ACL tag is associated with the tag applied to it, not with the user who authenticated the device
• Changed: Tagged devices are listed under “Tagged Devices” in the list of Network devices in Tailscale clients
• Changed: Users cannot use Taildrop to send files to and from nodes they have tagged
• Fixed: A user without any nodes can be specified as part of an ACL test

Synology

• Fixed: UI issues in Synology (Synology 1.20.2 doesn’t have working options page)

Only the Synology client released v1.20.3. All other platforms remain with v1.20.2.

• New: Delete your tailnet from the Settings page of admin console if it only has one user. Contact support for other requests

All Platforms

• Fixed: Deadlock in handling the DERP map

All Platforms

• New: When using an exit node, DNS queries will be forwarded to the exit node for resolution
• New: tailscaled now allows running the outgoing SOCKS5 and HTTP proxies on the same port.
• New: SOCKS5/HTTP proxies now allow connecting via subnet routers & exit nodes when run in userspace-networking mode
• New: More debug metrics available
• New: tailscale ip -1 flag
• New: CLI now lets you select exit node by name
• New: CLI now shows you which nodes are offering exit nodes
• New: CLI now refuses to let you pick an invalid exit node (when connected)
• New: Packet filter now supports matching any IP protocol number when enabled in ACLs (previously only TCP, UDP, ICMP and SCTP)
• New: Added Online boolean to tailscale status --json, made tailscale status show offline nodes
• New: Added tailscale up --json
• Fixed: MagicDNS now works over IPv6 when CGNAT IPv4 is disabled using disableIPv4: true in ACL
• Fixed: Choose a new DERP relay server if the current DERP is removed from the DERPmap
• Fixed: Bug fixes, cleanups, log spam reduction

Linux

• Changed: tailscale file cp sends via the local tailscaled now, so it now supports tailscaled running in tun-free, userspace-networking mode (such as on Synology DSM7 unless you enable TUN mode)

Windows

• New: GUI support for running an exit node

macOS

• New: GUI support for running an exit node

iOS

• Changed: Send heartbeats less often to conserve battery

Android

• New: Talkback support
• New: Menu selection to generate a bug report
• New: “Allow LAN Access” checkbox in Exit Node menu
• Changed: Send heartbeats less often to conserve battery
• Changed: Implement DNS config reporting
• Changed: No longer require fallback DNS to be configured in admin console
• Fixed: Report in the UI when connectivity is lost; this functionality was present but broken in prior releases

FreeBSD

• Fixed: Now supports running in a jail (if devd isn’t available, it falls back to network status polling mode)

• New: Auth keys can include an ACL tag binding, so that when a device is authenticated, the tags are applied
• New: ACL tags can be applied by an Owner, Admin, or Network admin from the admin console
• New: A tag can be the owner of another tag
• New: Auth keys can be generated via API

All Platforms

• New: Permit protocols other than TCP, UDP, or SCTP if an ACL rule has a proto specified and allows * port range
• Fixed: Exit node selection takes effect (almost) immediately

Linux

• Fixed: In DNS DirectManager, allow comments at the end of a line
• Fixed: Don’t get stuck waiting for systemd-resolved to restart in one particular DNS configuration

Synology

• New: Receive Taildrop files

• New: ACLs can now use autogroup:self to write access rules to allow access to devices authenticated as the same user as the source IP address

Linux

• Fixed: Regressions on some kernel configs related to our direct use of netlink rather than using the ip command to program routes and policy routing

• New: User roles for Network admin, IT admin, and Auditor

• New: arm and arm64 container images on Docker Hub and in GitHub Packages

All Platforms

• New: tailscaled debug server now exports Prometheus metrics at /debug/metrics
• Fixed: Improved UPnP discovery so that eero devices now work, allowing a port to be opened for direct connections (also in 1.16.2)
• Fixed: State machine transition regarding expired key extension
• Changed: If unable to upload telemetry, limit amount buffered to 50MB
• Changed: Retry more transient DNS errors, instead of passing the failure back to the client

Linux

• New: Support storing Tailscale state using AWS SSM (e.g., tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo) (thank you Maxime Visonneau)
• Fixed: If resolvconf wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not resolvconf
• Fixed: If NetworkManager wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not NetworkManager
• Fixed: Handle /etc/resolv.conf being a bind mount into a container, such that we cannot rename() it.
• Fixed: Work around Ubuntu 18.04 setLinkDomain length limit by omitting reverse lookup information
• Changed: Use AF_NETLINK messages to configure IP, not the ip command. Set TS_DEBUG_USE_IP_COMMAND environment variable to revert to use of /sbin/ip if this breaks your device

iOS

• Changed: On iOS 15+, where Network Extensions have more memory available, allow the same number of DNS-over-HTTPS requests in flight as other platforms

Synology

• Changed: Only use AmbientCaps on DSM7+

• New: Available as a formula in Homebrew (Thanks!)

• New: Available in the Okta Integration Network

• New: Users can be suspended and restored from the Users page of the admin console
• New: Users who are inactive are shown in Users page of the admin console

• Changed: Ephemeral nodes now have both IPv6 and IPv4 addresses

• New: Officially supported in the Synology package center

• New: Published Tailscale container image available on Docker Hub and in GitHub Packages

• New: Specify --qr as part of tailscale up to generate a QR code for the login URL

All Platforms

• Changed: Include Let’s Encrypt’s ISRG Root X1 root as an alternate to try if the platform roots fail
• Changed: If tailscale cert fails because it needs to be run as root, say so.
• Fixed: Avoid looping packets in tstun, believed to fix #1526
• Fixed: Allow SOCKS5 proxy for --tun=userspace-networking to dial the HTTPS domain name of the Tailnet
• Fixed: Ensure state directory is set to perm 0700.

iOS

• Changed: Ignore ipsec link monitor events for iOS to avoid waking the system

Windows

• Changed: Move state files from C:\Windows to C:\ProgramData, to better handle Windows

Synology

• Fixed: Fix segfaults shortly after starting, resolves #2733

• New: Provision TLS certificates for devices in your tailnet (beta)

• New: Free Community on GitHub pricing plan for GitHub organizations using Tailscale for open source projects, families, and friends

All Platforms

• Changed: tailscale up will wait for the socket to tailscaled to be created, not exit with an error. It should no longer be necessary to run it in a loop.
• Fixed: Crash in TCP forwarding with userspace-networking; resolves #2658

Windows

• Fixed: Default route lookup on Windows; resolves #2707

Note: v1.14.1 and v1.14.2 were never released.