Changelog

• New: Use Tailscale SSH to allow Tailscale to manage the authentication and authorization of SSH connections in your tailnet
• Changed: Default ACL now allows users to access their own devices using Tailscale SSH with check mode. This only affects tailnets with default ACLs, including new tailnets and tailnets which have never modified their ACLs

All Platforms

• Fixed: Various bugs

All Platforms

• New: Add --peerapi <peer> flag in tailscale ping to check connectivity to a peer using the PeerAPI
• New: Add --timeout <duration> flag in tailscale up to enforce a maximum amount of time to wait for the Tailscale service to initialize
• New: Allow LoginInteractive via LocalAPI
• New: MagicDNS supports DNS/TCP and handling IP fragmented UDP frames
• New: Add an overall 10 second timeout for recursive MagicDNS queries
• New: Add Wake-on-LAN function to PeerAPI. There is no UI for it currently.
• New: Provide /run.sh as an entrypoint for Docker container builds
• Fixed: Configured MTU is now consistent between a TUN device and a userspace device
• Changed: Refactor tailscale.com/client/tailscale package with LocalClient type
• Changed: Change MagicDNS “via route” DNS names from “via-SITEID.10.2.3.4” to “10.2.3.4.via-SITEID”. The old format will continue to work for the next one or two releases.
• Changed: Build with Go 1.18.3

macOS

• New: Tailscaled-on-macOS now supports MagicDNS, including Split DNS
• New: Initial release of a standalone macOS client, which is independent of the App Store, in the stable track

Windows

• New: Add TS_NOLAUNCH property to allow admins to deploy silent MSI installs without automatically starting the GUI
• Fixed: MagicDNS lookup of own hostname
• Fixed: Handle more than 50 Split DNS domains
• Fixed: Resolve one source of shutdown delay (there may still be more)

Synology

• New: Allow the NAS disks to hibernate by moving telemetry buffering to tmpfs
• Changed: Improve HTTP proxy handling

iOS

• New: Bug report menu option in the UI

• New: Search for users and filter based on user role in the Users page
• New: Pagination when user list is large in the Users page

macOS

• New: Initial release of a standalone macOS client, which is independent of the App Store, in the unstable track

• New: Update billing email address in the Billing section of the General Settings page in the admin console

• Changed: The allowed expiration range for keys is 1 to 180 days, instead of 3 to 180 days

• New: Update invoice name and address in the Billing section of the General Settings page in the admin console

• New: Use the Tailscale extension for Docker Desktop to securely connect to the resources you need for development

• Changed: When adding common global DNS nameservers, Tailscale will automatically include all IPv4 and IPv6 addresses for that nameserver and treat them as one entity

• Changed: The tailnet ACL validate API call also allows verifying ACL format and running ACL tests, without posting a new ACL
• Changed: The tailnet key detail API call includes whether an auth key is pre-authorized

All Platforms

• Fixed: Handling of HTTP proxies in certain circumstances
• Fixed: An issue where the new control plane protocol could fail to make a connection to our servers (#4557)

Synology

• • Fixed: Additional fix in handling of HTTP proxies

All Platforms

• Fixed: Two issues where the new control plane protocol could fail to make a connection to our servers (#4544, #4538)
• Fixed: Set TCP keep-alives in userspace-networking subnet router to avoid connection leaks (#4522)
• Fixed: Avoid using the LTE radio after transition to Wi-Fi

Android

• New: Run Tailscale on Android TV

All Platforms

• New: Initial support for site-relative IPv4 addressing using IPv6
• New: First for-keepsies deployment of ts2021 protocol
• New: tsnet now supports providing a custom ipn.StateStore
• Fixed: Improve netstack performance via better GC tuning
• Fixed: MagicDNS: PTR records for TS service IPs
• Changed: Build with Go 1.18

Linux

• New: taildrop: add file get --loop
• New: taildrop: add file get --conflict=(skip|overwrite|rename)
• Changed: Default to userspace-networking mode on gokrazy
• Changed: Set tailscale0 link speed to UNKNOWN, not 1Gbps
• Changed: Attempt to load the xt_mark kernel module when it is not present

Windows

• Fixed: Improve HTTPS proxy handling

Synology

• Fixed: Improve HTTPS proxy handling

Android

• New: Android TV support
• Fixed: Fix and reintroduce Talkback support

FreeBSD

• Fixed: Portmapping support

• New: Add or modify your tax identification number in the Billing section of the General Settings page in the admin console

• New: ACL tests now support group as an option for the src field, and as the host portion of the accept and deny fields.

• New: Policy syntax for ACL tests now supports accept/deny in addition to allow/deny when specifying destinations that the ACL rules should accept or deny.

Linux

• Fixed: Potential crash at startup when using BGP

Windows

• Fixed: MSI not restarting GUI after MSI-to-MSI upgrade

• New: Use Caddy to manage Tailscale HTTPS certificates

All Platforms

• Fixed: In userspace-networking mode, always close SOCKS proxied connections

Linux

• Fixed: Better operation with gokrazy

macOS

• Fixed: Fix macOS GUI “Must restart” dialog in some cases

Windows

• Fixed: Fix a Windows NSIS installer bug when upgrading

FreeBSD

• Fixed: Fix portmapping

• New: Share an exit node

• New: Policy syntax for ACL rules now supports src/dst in addition to users/ports when referring to sources and destinations

All Platforms

• Fixed: DNS lookups via an exit node in many cases

Linux

• Fixed: Better handling of extremely large /proc/net/route files for very large routers
• Fixed: BGP advertisement with subnet router failover

OpenBSD

• Fixed: openresolv /etc/resolv.conf handling

• New: Disable node key expiry via API
• Fixed: Preview rules in the admin console for tagged nodes

• Changed: ACL tags are now generally available
  • You can include tags as part of an authentication key, you can tag devices from the admin console, and tags can be owners of other tags. You must authenticate when re-tagging a device.
• Fixed: Preview rules in the admin console for a user without any nodes

• Changed: A device tagged with an ACL tag is associated with the tag applied to it, not with the user who authenticated the device
• Changed: Tagged devices are listed under “Tagged Devices” in the list of Network devices in Tailscale clients
• Changed: Users cannot use Taildrop to send files to and from nodes they have tagged
• Fixed: A user without any nodes can be specified as part of an ACL test

Synology

• Fixed: UI issues in Synology (Synology 1.20.2 doesn’t have working options page)

Only the Synology client released v1.20.3. All other platforms remain with v1.20.2.

• New: Delete your tailnet from the admin console if it only has one user. Contact support for other requests

All Platforms

• Fixed: Deadlock in handling the DERP map

All Platforms

• New: When using an exit node, DNS queries will be forwarded to the exit node for resolution
• New: tailscaled now allows running the outgoing SOCKS5 and HTTP proxies on the same port.
• New: SOCKS5/HTTP proxies now allow connecting via subnet routers & exit nodes when run in userspace-networking mode
• New: More debug metrics available
• New: tailscale ip -1 flag
• New: CLI now lets you select exit node by name
• New: CLI now shows you which nodes are offering exit nodes
• New: CLI now refuses to let you pick an invalid exit node (when connected)
• New: Packet filter now supports matching any IP protocol number when enabled in ACLs (previously only TCP, UDP, ICMP and SCTP)
• New: Added Online boolean to tailscale status --json, made tailscale status show offline nodes
• New: Added tailscale up --json
• Fixed: MagicDNS now works over IPv6 when CGNAT IPv4 is disabled using disableIPv4: true in ACL
• Fixed: Choose a new DERP relay server if the current DERP is removed from the DERPmap
• Fixed: Bug fixes, cleanups, log spam reduction

Linux

• Changed: tailscale file cp sends via the local tailscaled now, so it now supports tailscaled running in tun-free, userspace-networking mode (such as on Synology DSM7 unless you enable TUN mode)

Windows

• New: GUI support for running an exit node

macOS

• New: GUI support for running an exit node

iOS

• Changed: Send heartbeats less often to conserve battery

Android

• New: Talkback support
• New: Menu selection to generate a bug report
• New: “Allow LAN Access” checkbox in Exit Node menu
• Changed: Send heartbeats less often to conserve battery
• Changed: Implement DNS config reporting
• Changed: No longer require fallback DNS to be configured in admin console
• Fixed: Report in the UI when connectivity is lost; this functionality was present but broken in prior releases

FreeBSD

• Fixed: Now supports running in a jail (if devd isn’t available, it falls back to network status polling mode)

• New: Auth keys can include an ACL tag binding, so that when a device is authenticated, the tags are applied
• New: ACL tags can be applied by an Owner, Admin, or Network Admin from the admin console
• New: A tag can be the owner of another tag
• New: Auth keys can be generated via API

All Platforms

• New: Permit protocols other than TCP, UDP, or SCTP if an ACL rule has a proto specified and allows * port range
• Fixed: Exit node selection takes effect (almost) immediately

Linux

• Fixed: In DNS DirectManager, allow comments at the end of a line
• Fixed: Don’t get stuck waiting for systemd-resolved to restart in one particular DNS configuration

Synology

• New: Receive Taildrop files

• New: ACLs can now use autogroup:self to write access rules to allow access to devices authenticated as the same user as the source IP address

Linux

• Fixed: Regressions on some kernel configs related to our direct use of netlink rather than using the ip command to program routes and policy routing

• New: User roles for Network Admin, IT Admin, and Auditor

• New: arm and arm64 container images on Docker Hub and in GitHub Packages

All Platforms

• New: tailscaled debug server now exports Prometheus metrics at /debug/metrics
• Fixed: Improved UPnP discovery so that eero devices now work, allowing a port to be opened for direct connections (also in 1.16.2)
• Fixed: State machine transition regarding expired key extension
• Changed: If unable to upload telemetry, limit amount buffered to 50MB
• Changed: Retry more transient DNS errors, instead of passing the failure back to the client

Linux

• New: Support storing Tailscale state using AWS SSM (e.g., tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo) (thank you Maxime Visonneau)
• Fixed: If resolvconf wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not resolvconf
• Fixed: If NetworkManager wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not NetworkManager
• Fixed: Handle /etc/resolv.conf being a bind mount into a container, such that we cannot rename() it.
• Fixed: Work around Ubuntu 18.04 setLinkDomain length limit by omitting reverse lookup information
• Changed: Use AF_NETLINK messages to configure IP, not the ip command. Set TS_DEBUG_USE_IP_COMMAND environment variable to revert to use of /sbin/ip if this breaks your device

iOS

• Changed: On iOS 15+, where Network Extensions have more memory available, allow the same number of DNS-over-HTTPS requests in flight as other platforms

Synology

• Changed: Only use AmbientCaps on DSM7+

• New: Available as a formula in Homebrew

• New: Available in the Okta Integration Network

• New: Users can be suspended and restored from the admin console
• New: Users who are inactive are shown in the admin console

• Changed: Ephemeral nodes now have both IPv6 and IPv4 addresses

• New: Officially supported in the Synology package center

• New: Published Tailscale container image available on Docker Hub and in GitHub Packages

• New: Specify --qr as part of tailscale up to generate a QR code for the login URL

All Platforms

• Changed: Include Let’s Encrypt’s ISRG Root X1 root as an alternate to try if the platform roots fail
• Changed: If tailscale cert fails because it needs to be run as root, say so.
• Fixed: Avoid looping packets in tstun, believed to fix #1526
• Fixed: Allow SOCKS5 proxy for --tun=userspace-networking to dial the HTTPS domain name of the Tailnet
• Fixed: Ensure state directory is set to perm 0700.

iOS

• Changed: Ignore ipsec link monitor events for iOS to avoid waking the system

Windows

• Changed: Move state files from C:\Windows to C:\ProgramData, to better handle Windows

Synology

• Fixed: Fix segfaults shortly after starting, resolves #2733

• New: Provision TLS certificates for devices in your tailnet

• New: Free Community on GitHub pricing plan for GitHub organizations using Tailscale for open source projects, families, and friends

All Platforms

• Changed: tailscale up will wait for the socket to tailscaled to be created, not exit with an error. It should no longer be necessary to run it in a loop.
• Fixed: Crash in TCP forwarding with userspace-networking; resolves #2658

Windows

• Fixed: Default route lookup on Windows; resolves #2707

Note: v1.14.1 and v1.14.2 were never released.