Changelog

Linux

• Fixed: Regressions on some kernel configs related to our direct use of netlink rather than using the ip command to program routes and policy routing

• New: User roles for Network Admin, IT Admin, and Auditor

• New: arm and arm64 container images on Docker Hub and in GitHub Packages

All Platforms

• New: tailscaled debug server now exports Prometheus metrics at /debug/metrics
• Fixed: Improved UPnP discovery so that eero devices now work, allowing a port to be opened for direct connections (also in 1.16.2)
• Fixed: State machine transition regarding expired key extension
• Changed: If unable to upload telemetry, limit amount buffered to 50MB
• Changed: Retry more transient DNS errors, instead of passing the failure back to the client

Linux

• New: Support storing Tailscale state using AWS SSM (e.g., tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo) (thank you Maxime Visonneau)
• Fixed: If resolvconf wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not resolvconf
• Fixed: If NetworkManager wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not NetworkManager
• Fixed: Handle /etc/resolv.conf being a bind mount into a container, such that we cannot rename() it.
• Fixed: Work around Ubuntu 18.04 setLinkDomain length limit by omitting reverse lookup information
• Changed: Use AF_NETLINK messages to configure IP, not the ip command. Set TS_DEBUG_USE_IP_COMMAND environment variable to revert to use of /sbin/ip if this breaks your device

iOS

• Changed: On iOS 15+, where Network Extensions have more memory available, allow the same number of DNS-over-HTTPS requests in flight as other platforms

Synology

• Changed: Only use AmbientCaps on DSM7+

• New: Available as a formula in Homebrew

• New: Available in the Okta Integration Network

• New: Users can be suspended and restored from the admin console
• New: Users who are inactive are shown in the admin console

• Changed: Ephemeral nodes now have both IPv6 and IPv4 addresses

• New: Officially supported in the Synology package center

• New: Published Tailscale container image available on Docker Hub and in GitHub Packages

• New: Specify --qr as part of tailscale up to generate a QR code for the login URL

All Platforms

• Changed: Include Let’s Encrypt’s ISRG Root X1 root as an alternate to try if the platform roots fail
• Changed: If tailscale cert fails because it needs to be run as root, say so.
• Fixed: Avoid looping packets in tstun, believed to fix #1526
• Fixed: Allow SOCKS5 proxy for --tun=userspace-networking to dial the HTTPS domain name of the Tailnet
• Fixed: Ensure state directory is set to perm 0700.

iOS

• Changed: Ignore ipsec link monitor events for iOS to avoid waking the system

Windows

• Changed: Move state files from C:\Windows to C:\ProgramData, to better handle Windows

Synology

• Fixed: Fix segfaults shortly after starting, resolves #2733

• New: Provision TLS certificates for devices in your tailnet

• New: Free Community on GitHub pricing plan for GitHub organizations using Tailscale for open source projects, families, and friends

All Platforms

• Changed: tailscale up will wait for the socket to tailscaled to be created, not exit with an error. It should no longer be necessary to run it in a loop.
• Fixed: Crash in TCP forwarding with userspace-networking; resolves #2658

Windows

• Fixed: Default route lookup on Windows; resolves #2707

Note: v1.14.1 and v1.14.2 were never released.