Updates to the Tailscale client and service.

Tailscale v1.18.1

Update instructions →
  • Fixed: Regressions on some kernel configs related to our direct use of netlink rather than using the ip command to program routes and policy routing

Tailscale v1.18

Update instructions →
All Platforms
  • New: tailscaled debug server now exports Prometheus metrics at /debug/metrics
  • Fixed: Improved UPnP discovery so that eero devices now work, allowing a port to be opened for direct connections (also in 1.16.2)
  • Fixed: State machine transition regarding expired key extension
  • Changed: If unable to upload telemetry, limit amount buffered to 50MB
  • Changed: Retry more transient DNS errors, instead of passing the failure back to the client
  • New: Support storing Tailscale state using AWS SSM (e.g., tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo) (thank you Maxime Visonneau)
  • Fixed: If resolvconf wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not resolvconf
  • Fixed: If NetworkManager wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not NetworkManager
  • Fixed: Handle /etc/resolv.conf being a bind mount into a container, such that we cannot rename() it.
  • Fixed: Work around Ubuntu 18.04 setLinkDomain length limit by omitting reverse lookup information
  • Changed: Use AF_NETLINK messages to configure IP, not the ip command. Set TS_DEBUG_USE_IP_COMMAND environment variable to revert to use of /sbin/ip if this breaks your device
  • Changed: On iOS 15+, where Network Extensions have more memory available, allow the same number of DNS-over-HTTPS requests in flight as other platforms
  • Changed: Only use AmbientCaps on DSM7+


  • New: Available as a formula in Homebrew

Suspended and inactive users

IPv4 addresses for ephemeral nodes

  • Changed: Ephemeral nodes now have both IPv6 and IPv4 addresses

Tailscale v1.16

Update instructions →
All Platforms
  • New: Support storage of node state as a Kubernetes secret.
  • New: tailscale up --authkey=file:/path/to/secret support
  • New: tailscale up --qr for QR codes
  • New: tailscaled in userspace-networking mode can now run an HTTP proxy server (in addition to the prior SOCKS5 proxy server support)
  • Fixed: No longer need the while tailscale up; do sleep 0.1; done loops in Docker startup scripts.
  • Fixed: CPU/memory profiling support in tailscale debug
  • Fixed: Bake in LetsEncrypt’s ISRG Root X1 root (also in 1.14.6)
  • Fixed: Support containers with !CAP_NET_RAW and !CAP_NET_ADMIN (like CircleCI runners)
  • Fixed: Service (portlist) scanning optimized; uses much less CPU on busy servers
  • Fixed: Move state to C:\ProgramData (also in 1.14.4)
  • Fixed: Super rare Wireguard packet loop network flood when using a DNS server behind a subnet router, when a macOS device resumes from sleep and the network changes (also iOS, but triggers less there). Fixes #1526 (also in 1.14.6)
  • Fixed: Turn the radio on less often to improve battery performance
  • Fixed: Support Taildrop on older Android releases
  • Fixed: Turn the radio on less often to improve battery performance

QR code for login link

  • New: Specify --qr as part of tailscale up to generate a QR code for the login URL

Tailscale v1.14.6

Update instructions →
All Platforms
  • Changed: Include Let’s Encrypt’s ISRG Root X1 root as an alternate to try if the platform roots fail
  • Changed: If tailscale cert fails because it needs to be run as root, say so.
  • Fixed: Avoid looping packets in tstun, believed to fix #1526
  • Fixed: Allow SOCKS5 proxy for --tun=userspace-networking to dial the HTTPS domain name of the Tailnet
  • Fixed: Ensure state directory is set to perm 0700.
  • Changed: Ignore ipsec link monitor events for iOS to avoid waking the system

Tailscale v1.14.4

Update instructions →
  • Changed: Move state files from C:\Windows to C:\ProgramData, to better handle Windows
  • Fixed: Fix segfaults shortly after starting, resolves #2733

Tailscale v1.14.3

Update instructions →
All Platforms
  • Changed: tailscale up will wait for the socket to tailscaled to be created, not exit with an error. It should no longer be necessary to run it in a loop.
  • Fixed: Crash in TCP forwarding with userspace-networking; resolves #2658
  • Fixed: Default route lookup on Windows; resolves #2707

Note: v1.14.1 and v1.14.2 were never released.