Changelog

Updates to the Tailscale client and service.

Tailscale v1.38.1

Update instructions →
All platforms
  • New: tailscale configure command to configure resources that you want to include in your tailnet
  • New: tailscale lock tskey-wrap to sign pre-approved auth keys for use with tailnet lock
  • New: tailscale debug derp command to help diagnose DERP-related difficulty
  • New: tailscale debug capture command to write packet capturing for debugging
  • Changed: The tailscale debug portmap command replaces tailscaled debug -portmap. This is now available on platforms without a tailscaled binary (like the macOS App Store).
  • Changed: tailscale serve command has been overhauled
  • Changed: tailscale serve funnel has been made into its own command, tailscale funnel
  • Fixed: Several improvements to UPnP port mapping have been made that allow it to work with a broader set of home routers
Linux
  • New: Certificates can be stored in Kubernetes secret storage
Windows
  • New: MSI installers start the GUI without user interaction to allow remote upgrades
macOS
iOS
  • New: Support for alternate control servers by setting the URL in Settings page of the admin console
Android
  • Fixed: Chromecast support while Tailscale is active

Note: v1.38.0 was never released.

Settings page is reorganized

  • New: Device management section is added to the Settings page of the admin console
  • New: User management section is added to the Settings page of the admin console
  • Changed: Feature Previews section is removed from the Settings page of the admin console. All feature previews are now located in the General page.
  • Changed: Identity Provider and User & Group Provisioning options are moved from the General page to the User management page of the admin console
  • Changed: Device Approval and Key Expiry options are moved from the General page to the Device management page of the admin console
  • Changed: Billing drop-down option for logged in users is removed from the admin console. Use the Billing section in the General page instead.

Webhook event when a user role is updated

  • New: userRoleUpdated webhook event is now generated when a user role is changed

Billing Admin

Read more →
  • New: Billing Admin role to manage pricing plan and billing information, but not modify other tailnet settings
  • Changed: All users with the Admin role can manage pricing plan and billing information
  • Changed: Configuration audit logging no longer includes “Update billing owner for tailnet” events. Changes to Billing Admin roles are included in “Update role for user” events

Tailscale v1.36.2

Update instructions →
macOS
  • Fixed: Prevent using an exit node while being an exit node
  • Fixed: Improve detection of default interface
iOS
  • Fixed: Improve detection of default interface
Windows
  • Fixed: Improve clean out of registry entries during upgrade

Webhook events when a webhook is updated or deleted

  • New: webhookUpdated and webhookDeleted events are now generated when a webhook is updated or deleted. These events are subscribed by default and cannot be disabled.

Device authorization is now called Device approval

  • Changed: “Device approval” replaces “Device authorization” as the name of the feature in the General settings page of the admin console
  • Changed: “Needs approval” replaces “Needs authorization” in the Disabled filter of the Machines page
  • Changed: “Pre-approved” replaces “Pre-authorized” in the Generate auth key dialog of the Keys page
  • Changed: “nodeApproved” replaces “nodeAuthorized” in webhook events
  • Changed: “nodeNeedsApproval” replaces “nodeNeedsAuthorization” in webhook events
  • Changed: “Enable device approval for tailnet” replaces “Enable device authorization for tailnet” in Configuration audit logging events
  • Changed: “Disable device approval for tailnet” replaces “Disable device authorization for tailnet” in Configuration audit logging events
  • Changed: “Approve node” replaces “Authorize node” in Configuration audit logging events

Tailscale v1.36.1

Update instructions →
All Platforms
  • Fixed: Potential infinite loop when node key expires
macOS
  • Fixed: Handle starting the app before network interfaces are ready
iOS
  • Fixed: Handle starting the app before network interfaces are ready
  • Fixed: Get Status intent will not connect the VPN
Windows
  • Fixed: Potential crash in netstat handling
  • Fixed: Windows 7 checks for KB2533623

Feature invite logs no longer include acceptor

  • Changed: Accept invite for feature events in configuration audit logs no longer include the acceptor in the sharer’s logs

Tailscale v1.36

Update instructions →
All Platforms
  • New: --json flag for the tailscale lock status and tailscale lock log commands
  • New: --json flag for the tailscale version command
  • New: tailscale update command to update client
  • New: tailscale debug daemon-logs to watch server logs
  • Changed: tailscale status --json now includes KeyExpiry time and Expired boolean on nodes
  • Changed: tailscale version now advertises when you’re on the unstable (dev) track
  • Changed: (Unix platforms) When /etc/resolv.conf needs to be overwritten for lack of options, a comment in the file now links to https://tailscale.com/s/resolvconf-overwrite
  • Fixed: Tailscale SSH: SSH to tailscaled as a non-root user works again, as long as you only SSH to the same user that tailscaled is running as
  • Fixed: Handle cases where a node expires and we don’t receive an update about it from the control server (#6929 and #6937)
  • Fixed: Support UPnP port mapping of gateway devices where they are deployed as a highly available pair (#6946)
  • Fixed: Support arbitrary IP protocols like EOIP and GRE (#6423)
  • Fixed: Exit node handling of a large number of split DNS domains (#6875)
  • Fixed: Accept DNS-over-TCP responses up to 4K bytes (#6805)
Linux
macOS
  • New: Tailscale actions (connect, disconnect, switch profile, use exit node) are available in the Shortcuts app (read the blog post)
  • Fixed: Tailscale traffic looping upon certain sleep/resume/Wi-Fi change transitions (#5156)
iOS
  • New: Tailscale actions (connect, disconnect, use exit node) are available in the Shortcuts app
  • Fixed: Tailscale using cellular data even after Wi-Fi becomes available (#6565)
Windows
  • Changed: Add a more robust mechanism to remove WinTun (#6433)
  • Changed: Update taskbar menu radio button implementation
Android
  • Changed: New version of the Gio UI library with internationalization and accessibility fixes
  • Changed: Allow Sonos app to discover local devices while Tailscale is connected
Synology
  • New: Show whether outgoing connections are configured in the web UI
Containers
  • New: Run in a Kubernetes environment without setting TS_KUBE_SECRET (#6704)
OpenBSD

Login page interstitial to confirm node authentication

  • New: The Tailscale login page (https://login.tailscale.com) describes the action taking place, such as adding a new device or authorizing SSH access, etc. For some actions, like adding a new node, a second redirection page will be used as a confirmation step.

Tailscale v1.34.2

Update instructions →
Linux
  • Fixed: Handling of a very large number of SplitDNS domains with an exit node
macOS
  • Fixed: UI glitch with macOS 10.14 and 10.13
Windows
  • Fixed: Custom server URL from registry key support
Synology
  • Fixed: Crashes manifesting on ARM-based platforms and models with very old kernels

Tailscale v1.34

Update instructions →
All Platforms
Linux
macOS
Windows
  • New: Add fast user switching by selecting the desired tailnet from the Tailscale icon in the taskbar, or via the tailscale login and tailscale switch commands
  • New: Use named pipes to communicate between UI and Service
  • Changed: Move state storage responsibility from frontend to backend. The current state is migrated, this should not be a noticeable change.
  • Changed: Switch to wingoes for OLE support, use multithreaded apartment
  • Changed: Received Taildrop files get placed in the C:\Users\(username)\Downloads directory (previously they were placed in the C:\Users\(username)\Desktop directory)
Android
  • Fixed: Allow Sonos app to discover speakers on the local LAN
Synology
  • Fixed: Better detect DSM version, locate local socket correctly
Containers
  • Changed: Replace run.sh with cmd/containerboot
FreeBSD

Name change for unstable Docker images

  • Changed: Tailscale unstable images on Docker Hub and in GitHub Packages now contain the prefix “unstable-”, for example “unstable-v1.33” instead of “v1.33”

Tailscale v1.32.3

Update instructions →
All Platforms
  • Fixed: Security vulnerability in the Windows client that allows a malicious website to reconfigure the Tailscale daemon tailscaled, which can then be used to remotely execute code (CVE-2022-41924, TS-2022-004)
  • Fixed: Security vulnerability in the client that allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables (CVE-2022-41925, TS-2022-005)
Windows
  • Changed: Set Zone.Identifier alternate data stream for Taildrop files
macOS
  • Changed: Set com.apple.quarantine flag for Taildrop files

Webhook event payload additions

  • New: The actor is included in all webhook event payloads
  • New: The key expiration time is included in payloads for expiration-related events
  • Changed: Slack messages generated for webhook events now have timestamps formatted in the local timezone of the user viewing the message

Tailscale v1.32.2

Update instructions →
All Platforms
  • Changed: Substantially improve userspace-networking handling of packet loss
macOS
  • Fixed: Fix a crash impacting some macOS systems (#6065)
Android
  • Fixed: Fix a 4-in-6 DNS problem mainly impacting Android (fixed by Peter Cai) (#5698)

Webhooks

Read more →
  • New: Use webhooks to subscribe to certain events on your tailnet and process the event notifications through an integration or app

Fully qualified domain name in API responses

  • Changed: In output of Tailscale API calls, a machine’s name uses the fully qualified domain name based on the tailnet name, instead of the previous format based on the organization name. For example, a machine name in API output is now my-server.yak-bebop.ts.net instead of my-server.example.com. This is a display-only change and doesn’t modify the name of any machines.

Tailscale v1.32.1

Update instructions →
All Platforms
  • Fixed: Avoid crash in tailscale netcheck (#5919)
macOS
  • Fixed: Avoid a condition which can result in high CPU consumption (#5879)
  • Fixed: Fix Taildrop failures when sending many files (#5873)
iOS
  • Fixed: Fix Taildrop failures when sending many files (#5873)
Windows
  • Fixed: Correct IPv6 MTU setting (#5914)

Tailnet name changed

  • Changed: Tailnets use .ts.net instead of .beta.tailscale.net for the tailnet name
    • To avoid publicizing your organization name, Tailscale provides you with a tailnet name, which is used by features like MagicDNS, HTTPS, and sharing. The tailnet name is visible in the DNS page of the admin console.
    • Previously, you might have used a name ending in .beta.tailscale.net. If so, migrate to the new tailnet name. The existing beta.tailscale.net name remains supported until at least November 1, 2023.
    • What we previously called the tailnet name is now called the organization name. The organization name is used by the Tailscale API, and is visible in the Settings page of the admin console.

Tailscale v1.32.0

Update instructions →
All Platforms
  • New: Support NextDNS
  • New: Add tailscaled --no-logs-no-support (or TS_NO_LOGS_NO_SUPPORT=true environment variable)
  • New: tailscale bugreport --record flag to pause and write another bug report
  • Changed: More in-depth health checks in a bugreport
  • Changed: tailscale netcheck looks for a captive portal
  • Changed: Build with Go 1.19.2
  • Fixed: IP fragmentation handling as an exit node
  • Fixed: SSH inadvertently closing tmux/etc panes at disconnect
  • Fixed: Always respond to 4via6 ICMP echo requests
  • Fixed: Normalize more process names in Services report
Linux
  • New: Coexist with mwan3 package iptables rule fwmark masks, for OpenWRT
  • New: Add an eBPF helper to pass the first packet on a new flow up to tailscaled
  • Changed: Better detect when running in a container
macOS
  • Fixed: Incorrect list of Taildrop target devices
Windows
  • New: Log Windows service diagnostics when the wintun device fails to install
iOS
  • Fixed: Incorrect list of Taildrop target devices
Android
  • Changed: Show an error when unable to accommodate multiple users
Synology
  • New: envknob support
  • Fixed: Configure-host version parsing

DNS entries for DERP regions for firewalls

  • New: Per-DERP-region DNS entries, such as derp1-all.tailscale.com, available for firewall allowlists or other compliance requirements

Key type embedded in keys

  • Changed: Key type is embedded in new keys, for example, tskey-auth-012345abcdef instead of tskey-012345abcdef

Tailscale v1.30.1

Update instructions →
All Platforms
  • Fixed: Exit nodes in userspace-networking mode break Chrome v.104 or later IPv6 connectivity
  • Fixed: SIGINT when running in a container without job control

See recently expired and revoked auth and API keys

  • New: Recently expired and revoked auth keys and API keys are now shown on the Keys page of the admin console

Tailscale v1.30.0

Update instructions →
All Platforms
  • New: Use DNS-over-HTTPS for Mullvad DNS servers
  • New: Report whether a subnet router is running in userspace-networking or kernel mode
  • New: send Tailscale client version number in ACME requests (to Let’s Encrypt, for example)
  • New: Report whether host kernel supports IPv6
  • New: Add tailscale licenses with link to open source licenses
  • Changed: Delete node immediately if tailscaled exists and was using mem: state storage
  • Changed: tsnet ephemeral nodes will delete themselves on Close()
  • Changed: Add a timeout when writing to BIRD socket
  • Changed: Clients can use Noise with any HTTPS port with capver 39 (mainly for Headscale)
  • Fixed: 100.100.100.100 will respond with SERVFAIL if there are no upstream resolvers
Linux
  • Fixed: Gracefully handle restarts in resolved support
macOS
  • Changed: Report variant (App Store, system extension) in the about box
  • Fixed: Fix missing IP address display in the status menu
Windows
  • New: Add native ARM build for backend Tailscale service (only in NSIS installer in this release)
  • Changed: Update Proxy support
  • Changed: Notice when group policy entries change and move our NRPT rules between the local and group policy subkeys as needed
  • Fixed: Avoid 2.3 second DNS lookup delay when Smart Name Resolution is enabled by adding MagicDNS names to hosts file
  • Fixed: Disable NetBIOS nameservice on Tailscale interfaces
iOS
  • Fixed: Fix potential crash in notification handling
  • Fixed: Fix dismissing of error indication if a bugreport fails
Android
  • New: Allow coordination server URL to be set. Click the Authentication menu three times quickly to enable
  • Fixed: Fix Google Stadia, Android Auto, GoPro, and Messages RCS with the VPN active
Synology
  • Fixed: Fix /dev/net permissions in tailscale configure-host
OpenBSD
  • New: Support functioning as a subnet router or exit node using hybrid netstack mode
Other
  • Fixed: Accommodate shared nodes in nginx-auth
  • Fixed: Fix race in derper (Custom DERP servers) with manual certificates

Share invite links without a label

  • Changed: Invite links for sharing a device are automatically generated and copied, and no longer requires a label to be generated

OneCGNATRoute setting, custom derp server upgrade

  • New: The network policy options section in ACLs now contains the OneCGNATRoute setting which controls the routes that Tailscale clients will generate
  • Fixed: Bug that can cause slow connects and a crash in a custom DERP server in manual cert mode (not using Let’s Encrypt). We encourage you to upgrade your derper binary. If you use the default Let’s Encrypt mode, no action is required

Tailscale v1.28.0

Update instructions →
All Platforms
  • New: Add ExitNodeStatus to tailscale status --json
  • Fixed: Fix tailscale ping -c N to properly exit after N ping requests even if there are timeouts
  • Changed: MagicDNS recursive resolution now returns SERVFAIL if all upstream resolvers fail
  • Changed: portmapper: Send discovery packet for IGD specifically, some routers don’t respond to ssdp:all
Linux
  • Changed: Implement specific DNS support for AWS, Google Cloud, and Azure to add internal split DNS domain and fallback DNS
macOS
  • Changed: Use one large 100.64.0.0/10 route entry if there are no other interfaces using CGNAT, to avoid Network Changed errors in browsers where possible
Windows
  • Fixed: Suppress nonfunctional link-local IPv6 addresses on Tailscale interface, PowerShell ping (hostname) now works correctly
  • Changed: Set registry values to not send DNS changes concerning our interface to AD domain controllers
  • Changed: Update Windows split DNS settings to work alongside other NRPT entries set by group policy
  • Changed: Set AllowSameVersionUpgrades attribute on MajorUpgrade tag in Windows MSI script
iOS
  • New: Add portmapper support for NAT-PMP, PCP, UPnP
  • New: Add MagicDNS support for TCP
  • Changed: The minimum iOS version is now iOS 15, which makes substantially more memory available (the App Store will offer Tailscale 1.26.2 for iOS 13 and 14 devices)
Android
  • New: Android can now be an exit node (previously available but hidden)

Tailscale v1.26.2

Update instructions →
All Platforms
  • Fixed: tailscaled being able to restart while mosh-server is running from an SSH session
  • Fixed: Make tailscale up --operator="" clear a previously set operator
Linux
macOS
  • Changed: Limit SSH login to 16 groups
Windows
  • Changed: Make SSH command prefer Windows ssh.exe over PATH
iOS

DNS records for shared devices

  • Fixed: Sharing a device with a tailnet domain alias now lets the share recipient also use the shared device’s *.ts.net DNS name

Tailscale SSH

Read more →
  • New: Use Tailscale SSH to allow Tailscale to manage the authentication and authorization of SSH connections in your tailnet (beta)
  • Changed: Default ACL now allows users to access their own devices using Tailscale SSH with check mode. This only affects tailnets with default ACLs, including new tailnets and tailnets which have never modified their ACLs

Tailscale v1.26.0

Update instructions →
All Platforms
  • New: Add --peerapi <peer> flag in tailscale ping to check connectivity to a peer using the PeerAPI
  • New: Add --timeout <duration> flag in tailscale up to enforce a maximum amount of time to wait for the Tailscale service to initialize
  • New: Allow LoginInteractive via LocalAPI
  • New: MagicDNS supports DNS/TCP and handling IP fragmented UDP frames
  • New: Add an overall 10 second timeout for recursive MagicDNS queries
  • New: Add Wake-on-LAN function to PeerAPI. There is no UI for it currently.
  • New: Provide /run.sh as an entrypoint for Docker container builds
  • Fixed: Configured MTU is now consistent between a TUN device and a userspace device
  • Changed: Refactor tailscale.com/client/tailscale package with LocalClient type
  • Changed: Change MagicDNS “via route” DNS names from “via-SITEID.10.2.3.4” to “10.2.3.4.via-SITEID”. The old format will continue to work for the next one or two releases.
  • Changed: Build with Go 1.18.3
macOS
  • New: Tailscaled-on-macOS now supports MagicDNS, including Split DNS
  • New: Initial release of a standalone macOS client, which is independent of the App Store, in the stable track
Windows
  • New: Add TS_NOLAUNCH property to allow admins to deploy silent MSI installs without automatically starting the GUI
  • Fixed: MagicDNS lookup of own hostname
  • Fixed: Handle more than 50 Split DNS domains
  • Fixed: Resolve one source of shutdown delay (there may still be more)
Synology
  • New: Allow the NAS disks to hibernate by moving telemetry buffering to tmpfs
  • Changed: Improve HTTP proxy handling
iOS
  • New: Bug report menu option in the UI

Search, role filtering, and pagination now supported in the Users page

  • New: Search for users and filter based on user role in the Users page
  • New: Pagination when user list is large in the Users page

Autogroup:members as a tag owner

  • New: autogroup:members as a tag owner, to enable device tagging by any user who is a direct member (not a shared user) of the tailnet

Format ACLs when saving

  • New: ACLs are automatically formatted when saved from the Access controls page of the admin console or the API

Tailscale v1.24.2

Update instructions →
All Platforms
  • Fixed: Handling of HTTP proxies in certain circumstances
  • Fixed: An issue where the new control plane protocol could fail to make a connection to our servers (#4557)
Synology
    • Fixed: Additional fix in handling of HTTP proxies

Tailscale v1.24.1

Update instructions →
All Platforms
  • Fixed: Two issues where the new control plane protocol could fail to make a connection to our servers (#4544, #4538)
  • Fixed: Set TCP keep-alives in userspace-networking subnet router to avoid connection leaks (#4522)
  • Fixed: Avoid using the LTE radio after transition to Wi-Fi

Tailscale v1.24.0

Update instructions →
All Platforms
  • New: Initial support for site-relative IPv4 addressing using IPv6
  • New: First for-keepsies deployment of ts2021 protocol
  • New: tsnet now supports providing a custom ipn.StateStore
  • Fixed: Improve netstack performance via better GC tuning
  • Fixed: MagicDNS: PTR records for TS service IPs
  • Changed: Build with Go 1.18
Linux
  • New: taildrop: add file get --loop
  • New: taildrop: add file get --conflict=(skip|overwrite|rename)
  • Changed: Default to userspace-networking mode on gokrazy
  • Changed: Set tailscale0 link speed to UNKNOWN, not 1Gbps
  • Changed: Attempt to load the xt_mark kernel module when it is not present
Windows
  • Fixed: Improve HTTPS proxy handling
Synology
  • Fixed: Improve HTTPS proxy handling
Android
  • New: Android TV support
  • Fixed: Fix and reintroduce Talkback support
FreeBSD
  • Fixed: Portmapping support

Filter on user state, and view Last seen date, in the Users page

  • New: Filter based on user state (Active, Inactive, and Suspended) in the Users page of the admin console
  • New: Last seen column in the Users page of the admin console

ACL tests now support group in syntax

  • New: ACL tests now support group as an option for the src field, and as the host portion of the accept and deny fields.

ACL tests now support accept/deny syntax

  • New: Policy syntax for ACL tests now supports accept/deny in addition to allow/deny when specifying destinations that the ACL rules should accept or deny.

Autogroup:members

  • New: ACL rules can use autogroup:members to write rules to allow access for users who are direct members (not shared users) of the tailnet

Tailscale v1.22.1

Update instructions →
All Platforms
  • Fixed: In userspace-networking mode, always close SOCKS proxied connections
Linux
  • Fixed: Better operation with gokrazy
macOS
  • Fixed: Fix macOS GUI “Must restart” dialog in some cases
Windows
  • Fixed: Fix a Windows NSIS installer bug when upgrading
FreeBSD
  • Fixed: Fix portmapping

Tailscale v1.22.0

Update instructions →
All Platforms
  • New: DERP Return Path Optimization (DRPO), allows a pair of nodes in different DERP regions to connect more quickly by only requiring one side to connect to the other, cutting down some DERP setup latency
  • New: tailscaled --state=mem: registers as an ephemeral node and does not store state to disk
  • New: tailscale status --json now shows Tags and PrimaryRoutes for Peers. PrimaryRoutes shows whether a HA subnet router is currently the active one.
  • New: tailscale status --json | jq .TailnetName will show the name of the tailnet
  • New: The optional tailscaled debug server’s Prometheus metrics exporter now also includes Go runtime metrics
  • New: tailscaled supports a new TS_PERMIT_CERT_UID environment variable containing either a userid or username to allow to fetch Tailscale TLS certificates for the node. This environment variable can be set in /etc/default/tailscaled to permit non-root web servers on the local machine to fetch certs from tailscaled.
  • Fixed: Send heartbeats less often, saving some battery, matching v1.20 change on mobile platforms.
  • Changed: --auth-key and --authkey both work as tailscale up arguments
Linux
  • Fixed: More robust detection of systemd-resolved
  • Fixed: Efficiently parse extremely large /proc/net/route files
  • Fixed: Be more helpful in suggesting tailscale --operator=USER to use with Taildrop
  • Fixed: Some broken host DNS configurations are now detected and reported in tailscale status
Windows
  • New: MSI installer
  • Fixed: Reject SIDs from deleted/invalid security principals to avoid failed to look up user from userid error
Synology
  • Changed: Add /var/packages/Tailscale/target/bin/tailscale configure-host to restore needed permissions. We recommend adding this as a scheduled task at boot.

ACL rules now support src/dst syntax

  • New: Policy syntax for ACL rules now supports src/dst in addition to users/ports when referring to sources and destinations

Preview rules bug fixes

  • Fixed: Preview rules in the admin console does not confuse access for tagged nodes with other tagged nodes (#3957)
  • Fixed: Preview rules no longer shows autogroup:self for all tagged nodes
  • Fixed: Preview rules no longer shows an error if there is an autogroup:self rule

Tailscale v1.20.4

Update instructions →
All Platforms
  • Fixed: DNS lookups via an exit node in many cases
Linux
  • Fixed: Better handling of extremely large /proc/net/route files for very large routers
  • Fixed: BGP advertisement with subnet router failover
OpenBSD
  • Fixed: openresolv /etc/resolv.conf handling

ACL tags General Availability

Read more →
  • Changed: ACL tags (generally available)
    • You can include tags as part of an authentication key, you can tag devices from the Machines page of the admin console, and tags can be owners of other tags. You must authenticate when re-tagging a device.
  • Fixed: Preview rules in the admin console for a user without any nodes

Tagged devices are managed by a tag, not a user

  • Changed: A device tagged with an ACL tag is associated with the tag applied to it, not with the user who authenticated the device
  • Changed: Tagged devices are listed under “Tagged Devices” in the list of Network devices in Tailscale clients
  • Changed: Users cannot use Taildrop to send files to and from nodes they have tagged
  • Fixed: A user without any nodes can be specified as part of an ACL test

Tailscale v1.20.0

Update instructions →
All Platforms
  • New: When using an exit node, DNS queries will be forwarded to the exit node for resolution
  • New: tailscaled now allows running the outgoing SOCKS5 and HTTP proxies on the same port.
  • New: SOCKS5/HTTP proxies now allow connecting via subnet routers & exit nodes when run in userspace-networking mode
  • New: More debug metrics available
  • New: tailscale ip -1 flag
  • New: CLI now lets you select exit node by name
  • New: CLI now shows you which nodes are offering exit nodes
  • New: CLI now refuses to let you pick an invalid exit node (when connected)
  • New: Packet filter now supports matching any IP protocol number when enabled in ACLs (previously only TCP, UDP, ICMP and SCTP)
  • New: Added Online boolean to tailscale status --json, made tailscale status show offline nodes
  • New: Added tailscale up --json
  • Fixed: MagicDNS now works over IPv6 when CGNAT IPv4 is disabled using disableIPv4: true in ACL
  • Fixed: Choose a new DERP relay server if the current DERP is removed from the DERPmap
  • Fixed: Bug fixes, cleanups, log spam reduction
Linux
  • Changed: tailscale file cp sends via the local tailscaled now, so it now supports tailscaled running in tun-free, userspace-networking mode (such as on Synology DSM7 unless you enable TUN mode)
Windows
  • New: GUI support for running an exit node
macOS
  • New: GUI support for running an exit node
iOS
  • Changed: Send heartbeats less often to conserve battery
Android
  • New: Talkback support
  • New: Menu selection to generate a bug report
  • New: “Allow LAN Access” checkbox in Exit Node menu
  • Changed: Send heartbeats less often to conserve battery
  • Changed: Implement DNS config reporting
  • Changed: No longer require fallback DNS to be configured in admin console
  • Fixed: Report in the UI when connectivity is lost; this functionality was present but broken in prior releases
FreeBSD
  • Fixed: Now supports running in a jail (if devd isn’t available, it falls back to network status polling mode)

Tailscale v1.18.2

Update instructions →
All Platforms
  • New: Permit protocols other than TCP, UDP, or SCTP if an ACL rule has a proto specified and allows * port range
  • Fixed: Exit node selection takes effect (almost) immediately
Linux
  • Fixed: In DNS DirectManager, allow comments at the end of a line
  • Fixed: Don’t get stuck waiting for systemd-resolved to restart in one particular DNS configuration
Synology

Autogroup:self

  • New: ACLs can now use autogroup:self to write access rules to allow access to devices authenticated as the same user as the source IP address

Tailscale v1.18.1

Update instructions →
Linux
  • Fixed: Regressions on some kernel configs related to our direct use of netlink rather than using the ip command to program routes and policy routing

Tailscale v1.18

Update instructions →
All Platforms
  • New: tailscaled debug server now exports Prometheus metrics at /debug/metrics
  • Fixed: Improved UPnP discovery so that eero devices now work, allowing a port to be opened for direct connections (also in 1.16.2)
  • Fixed: State machine transition regarding expired key extension
  • Changed: If unable to upload telemetry, limit amount buffered to 50MB
  • Changed: Retry more transient DNS errors, instead of passing the failure back to the client
Linux
  • New: Support storing Tailscale state using AWS SSM (e.g., tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo) (thank you Maxime Visonneau)
  • Fixed: If resolvconf wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not resolvconf
  • Fixed: If NetworkManager wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not NetworkManager
  • Fixed: Handle /etc/resolv.conf being a bind mount into a container, such that we cannot rename() it.
  • Fixed: Work around Ubuntu 18.04 setLinkDomain length limit by omitting reverse lookup information
  • Changed: Use AF_NETLINK messages to configure IP, not the ip command. Set TS_DEBUG_USE_IP_COMMAND environment variable to revert to use of /sbin/ip if this breaks your device
iOS
  • Changed: On iOS 15+, where Network Extensions have more memory available, allow the same number of DNS-over-HTTPS requests in flight as other platforms
Synology
  • Changed: Only use AmbientCaps on DSM7+

IPv4 addresses for ephemeral nodes

  • Changed: Ephemeral nodes now have both IPv6 and IPv4 addresses

Tailscale v1.16

Update instructions →
All Platforms
  • New: Support storage of node state as a Kubernetes secret.
  • New: tailscale up --authkey=file:/path/to/secret support
  • New: tailscale up --qr for QR codes
  • New: tailscaled in userspace-networking mode can now run an HTTP proxy server (in addition to the prior SOCKS5 proxy server support)
  • Fixed: No longer need the while tailscale up; do sleep 0.1; done loops in Docker startup scripts.
  • Fixed: CPU/memory profiling support in tailscale debug
  • Fixed: Bake in LetsEncrypt’s ISRG Root X1 root (also in 1.14.6)
Linux
  • Fixed: Support containers with !CAP_NET_RAW and !CAP_NET_ADMIN (like CircleCI runners)
  • Fixed: Service (portlist) scanning optimized; uses much less CPU on busy servers
Windows
  • Fixed: Move state to C:\ProgramData (also in 1.14.4)
macOS
  • Fixed: Super rare Wireguard packet loop network flood when using a DNS server behind a subnet router, when a macOS device resumes from sleep and the network changes (also iOS, but triggers less there). Fixes #1526 (also in 1.14.6)
iOS
  • Fixed: Turn the radio on less often to improve battery performance
Android
  • Fixed: Support Taildrop on older Android releases
  • Fixed: Turn the radio on less often to improve battery performance

QR code for login link

  • New: Specify --qr as part of tailscale up to generate a QR code for the login URL

Tailscale v1.14.6

Update instructions →
All Platforms
  • Changed: Include Let’s Encrypt’s ISRG Root X1 root as an alternate to try if the platform roots fail
  • Changed: If tailscale cert fails because it needs to be run as root, say so.
  • Fixed: Avoid looping packets in tstun, believed to fix #1526
  • Fixed: Allow SOCKS5 proxy for --tun=userspace-networking to dial the HTTPS domain name of the Tailnet
  • Fixed: Ensure state directory is set to perm 0700.
iOS
  • Changed: Ignore ipsec link monitor events for iOS to avoid waking the system

Tailscale v1.14.4

Update instructions →
Windows
  • Changed: Move state files from C:\Windows to C:\ProgramData, to better handle Windows
Synology
  • Fixed: Fix segfaults shortly after starting, resolves #2733

Tailscale v1.14.3

Update instructions →
All Platforms
  • Changed: tailscale up will wait for the socket to tailscaled to be created, not exit with an error. It should no longer be necessary to run it in a loop.
  • Fixed: Crash in TCP forwarding with userspace-networking; resolves #2658
Windows
  • Fixed: Default route lookup on Windows; resolves #2707

Note: v1.14.1 and v1.14.2 were never released.