Changelog on Tailscale

Country device posture attribute

Wed, 27 Nov 2024 00:00:00 GMT

New: ip:country has been added as a device posture attribute (beta).

New and more granular OAuth scopes

Thu, 14 Nov 2024 00:00:00 GMT

Changed: New scopes for OAuth clients have been added with more granular permissions. Existing OAuth clients using the previous set of scopes, and keys generated using these clients, are still valid.

Tailscale Docker image v1.76.6

Fri, 08 Nov 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Changed: Logging for when clients move home DERP regions is improved.
Fixed: Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

Tailscale Kubernetes operator v1.76.6

Fri, 08 Nov 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

Changed: Logging for when clients move home DERP regions is improved.
Fixed: Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

Log streaming integration with S3 buckets

Fri, 08 Nov 2024 00:00:00 GMT

New: Tailscale network flow logs and configuration audit logs can now be streamed to Amazon S3 and S3-compatible services (beta).

Tailscale tsrecorder v1.76.6

Fri, 08 Nov 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Changed: Logging for when clients move home DERP regions is improved.
Fixed: Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

Tailscale v1.76.6

Wed, 06 Nov 2024 00:00:00 GMT

Note: v1.76.4 and v1.76.5 were internal-only releases.

All platforms

Updated: Logging for when clients move home DERP regions is improved.
Fixed: Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

Android

Fixed: Android app no longer terminates unexpectedly when performing network transitions.

User approval and Invite any user GA

Tue, 05 Nov 2024 00:00:00 GMT

Changed: User approval GA (generally available)
Changed: Invite any user GA

1Password XAM device posture integration GA

Thu, 24 Oct 2024 00:00:00 GMT

Changed: 1Password Extended Access Management (XAM) GA (generally available)
- Restrict device access with 1Password XAM (formerly known as Kolide) and Tailscale device posture management.

Tailscale v1.76.3

Mon, 21 Oct 2024 00:00:00 GMT

Note: v1.76.3 includes fixes for Windows devices only, and is exclusively released for Windows.

Windows

Fixed: Mullvad VPN submenu no longer fails to populate with Mullvad exit nodes if there aren't any non-Mullvad exit nodes in the tailnet.

Tailscale v1.76.2

Thu, 17 Oct 2024 00:00:00 GMT

Note: v1.76.2 includes fixes for Android TV devices only, and is exclusively released for Android.

Android

Changed: D-Pad navigation is optimized in the Tailscale app on Android TV devices.

Tailscale v1.76.1

Wed, 16 Oct 2024 00:00:00 GMT

All platforms

Fixed: tailscale netcheck CLI command no longer crashes when performing diagnostics on networks lacking UDP connectivity.
Fixed: Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node.

Linux

Fixed: dbus login sessions no longer fail on systems where /bin/login is missing.

Android

Fixed: Android application no longer crashes in certain configurations when editing the app-based split tunneling settings.

Tailscale Docker image v1.76.1

Wed, 16 Oct 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Note: This version contains no changes except for library updates.

Google Workspace integration GA

Wed, 16 Oct 2024 00:00:00 GMT

Changed: User & group provisioning for Google Workspace GA (generally available)
- Sync Google Workspace groups and users to use in your Tailscale ACLs.

Tailscale Kubernetes operator v1.76.1

Wed, 16 Oct 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

New: Tailnet services can be exposed to cluster workloads on multiple proxy replicas using a ProxyGroup. It's also possible to expose multiple tailnet services on a single set of ProxyGroup replicas.
Fixed: Single use proxy auth keys no longer persist in the state Secrets after the proxies have logged in. This should fix an issue where, in some edge cases, the leftover keys were causing the proxies to attempt to re-authenticate after Pod restart.

Tailscale tsrecorder v1.76.1

Wed, 16 Oct 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Changed: State directory can be set with the TS_STATE_DIR environment variable. The state directory also defaults to /tmp/ for all tsrecorder installations that explicitly set the statefile location.

Tailscale v1.76.0

Thu, 10 Oct 2024 00:00:00 GMT

All platforms

Fixed: Clients lacking UDP connectivity no longer skip performing fallback latency measurements with DERP servers.
Fixed: Warnings no longer display unnecessarily.
Fixed: Tailscale connectivity on flights using Inflight Internet Wi-Fi (such as Alaska Airlines) no longer fails.
Fixed: Service-related processes no longer run unnecessarily when services are disabled on the tailnet.
Fixed: Error messages include explanations in addition to the HTTP status code.

Linux

New: Tailscale SSH supports sending environment variables to hosts. It's also possible to specify permitted environment variables using the acceptEnv field.
Fixed: Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when resizing the application window.

Windows

Fixed: Ping messages sent through subnet routers to unreachable hosts no longer generate ping responses.

macOS

New: Tailscale SSH supports sending environment variables to hosts. You must specify permitted environment variables using the acceptEnv field.
New: Tailscale .pkg installer for the standalone variant prevents potential conflicts by showing a warning if it detects a Homebrew install of Tailscale.
New: Bug report view shows a warning if Tailscale detects that Cloudflare WARP is installed. Some Cloudflare WARP configurations conflict with Tailscale.
Fixed: DNS settings no longer improperly set when keys expire or Tailscale stops.

iOS

Changed: Battery usage is improved when MagicDNS is enabled. The improvement comes from adjusting the timeout of DNS over HTTPS (DoH) for idle connections and requiring a TLS 1.3 handshake when establishing a connection with the DoH server.
Fixed: DNS settings no longer improperly set when keys expire or Tailscale stops.

tvOS

Fixed: DNS settings no longer improperly set when keys expire or Tailscale stops.

Android

New: Account switcher displays the server hostname if the account uses a custom coordination server.
Changed: Battery usage is improved when MagicDNS is enabled. The improvement comes from adjusting the timeout of DNS over HTTPS (DoH) for idle connections and requiring a TLS 1.3 handshake when establishing a connection with the DoH server.
Fixed: Quick tile toggle no longer fails to turn on Tailscale if Tailscale had been manually disconnected before it was last shut down.

Personal Plus pricing plan

Thu, 03 Oct 2024 00:00:00 GMT

New: The Personal Plus pricing plan offers the same features as the Personal plan with up to 6 users for a flat rate. For details about billing, plan comparison, and support, see Pricing & Plans FAQ.

Tailscale v1.74.2

Wed, 02 Oct 2024 00:00:00 GMT

Tailscale v1.74.2 addresses an issue for iOS, and is exclusively released for that platform.

iOS

Fixed: The Tailscale app launches as expected when Wi-Fi Calling on This iPhone is enabled in the iOS Cellular settings.

Tailnet deletion

Wed, 02 Oct 2024 00:00:00 GMT

Changed: Tailnets containing multiple users can be deleted from the admin console without first deleting the users manually.

Parameters added to Set custom device posture attributes endpoint

Fri, 27 Sep 2024 00:00:00 GMT

New: The optional expiry and comment parameters have been added to the Set custom device posture attributes endpoint of the device posture attribute API.

Tailscale v1.74.1

Wed, 18 Sep 2024 00:00:00 GMT

Tailscale v1.74.1 addresses issues for Linux and Android, and is exclusively released for those platforms.

Linux

Fixed: Linux-only NAT traversal optimization added in v1.74.0 is now disabled following a bug report. The behavior is reverted to that of v1.72.x and earlier and will be re-added in a future release.

Android

Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.

Fixed: Device network change detection is improved to reflect accurate Tailscale DNS configuration updates.
Fixed: System policies for the Android client on ChromeOS work as expected.

Tailscale Docker image v1.74.1

Wed, 18 Sep 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Note: This version contains no changes except for library updates.

Tailscale Kubernetes operator v1.74.1

Wed, 18 Sep 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

New: Recorder CRD (custom resource) is added for deploying the Tailscale tsrecorder to Kubernetes.
New: Default ProxyClass can now be specified for the Kubernetes Operator proxies. If you are using Helm, the default ProxyClass can be configured in the proxyConfig.defaultProxyClass Helm value or set using PROXY_DEFAULT_CLASS environment variable.
Fixed: Wildcards in RBAC role definitions are replaced with exact verbs.

Tailscale tsrecorder v1.74.1

Wed, 18 Sep 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale Terraform Provider v0.17.0

Fri, 13 Sep 2024 00:00:00 GMT

v0.17.0 of the Tailscale Terraform Provider has been released with the following changes:

Resources

New: Manage webhooks with tailscale_webhook.
New: Manage contact preferences with tailscale_contacts.
New: Manage device posture integrations with tailscale_posture_integration.
New: Manage log streaming with tailscale_logstream_configuration.
New: Manage Tailnet settings with tailscale_tailnet_settings.
Fixed: Changing the domain attribute for tailcale_dns_split_nameservers now properly removes the previous domain value.

Data Sources

New: Fetch information for multiple users with tailcale_users.
New: Fetch information for a specific user with tailscale_user.

Tailscale v1.74.0

Thu, 12 Sep 2024 00:00:00 GMT

All platforms

New: AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution.
New: tailscale dns CLI command is added for accessing Tailscale DNS settings and status.
Changed: Go is updated to version 1.23.1.
Fixed: Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth.
Fixed: Log In option in the client works as expected.

Linux

New: TCP generic receive offload (GRO) support is added for improved userspace mode throughput.
Changed: TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1.

Windows

Fixed: The client no longer connects to a tailnet automatically when restarting or switching profiles.
Fixed: Profiles created as Local System with Unattended Mode enabled are retained after a reboot.

macOS

Changed: The open-source variant of the Tailscale client can now read the system DNS configuration to provide DNS resolution when tailscale set -—accept-dns or tailscale up -—accept-dns is enabled and the Override local DNS option in the DNS page of the admin console is disabled.
Fixed: DNS resolution continues to work after a key expires.

tvOS

New: The ping feature allows you to observe connectivity performance between your Apple TV and other devices in your tailnet.

Android

Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.

Fixed: Tailscale DNS works as expected when switching between Wi-Fi and cellular networks.
Fixed: System policies for the Android client on ChromeOS work as expected.

MAC addresses matching in CrowdStrike Falcon

Wed, 11 Sep 2024 00:00:00 GMT

New: Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses.

Tailscale v1.72.2

Mon, 26 Aug 2024 00:00:00 GMT

Tailscale v1.72.2 addresses issues for macOS, iOS, and tvOS, and is exclusively released for those platforms.

macOS

Fixed: An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.
Fixed: An issue that could prevent Tailscale from automatically launching at login on some Macs is fixed.

iOS

Fixed: An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.

tvOS

Fixed: An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.

Configurable session timeouts

Fri, 23 Aug 2024 00:00:00 GMT

New: Admin console session timeouts from inactivity are now configurable from the User Management Settings page of the admin console.

Tailscale v1.72.1

Thu, 22 Aug 2024 00:00:00 GMT

Tailscale v1.72.1 addresses a Linux-specific issue, and is exclusively released for the Linux platform and containers.

Linux

Changed: TCP generic segmentation offload (GSO) support for userspace mode is removed.
Fixed: DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

Tailscale Docker image v1.72.1

Thu, 22 Aug 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Fixed: DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

Tailscale Kubernetes operator v1.72.1

Thu, 22 Aug 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

Fixed: DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

Tailscale tsrecorder v1.72.1

Thu, 22 Aug 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Fixed: DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

Tailscale Docker image v1.72.0

Wed, 21 Aug 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

New: An HTTP health check endpoint at /healthz can be enabled by setting TS_HEALTHCHECK_ADDR_PORT to [addr]:port.

Tailscale Kubernetes operator v1.72.0

Wed, 21 Aug 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

New: Additional environment variables can now be passed for the Kubernetes Operator deployment via Helm chart options.
Fixed: DNSConfig CRD reconcile logic is fixed for dual-stack clusters.

Tailscale tsrecorder v1.72.0

Wed, 21 Aug 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Fixed: Running without HTTPS is now allowed when UI is disabled.

Tailscale v1.72.0

Mon, 19 Aug 2024 00:00:00 GMT

All platforms

New: Captive portal detection is now supported.
New: The tailscale cert command now contains the --min-validity flag. Use this flag to request a specified minimum remaining validity on the returned certificate. This flag is intended for automation, like cron jobs, that periodically refreshes certificates.
New: The tailscale lock command now supports passing keys as files. To pass a key as a file, use the prefix file: followed by the path to the file: file:<path-to-key-file>.
Changed: A health warning is now raised if Tailscale is unable to forward DNS queries to the configured resolvers.
Changed: An increase in send and receive buffer sizes for userspace mode TCP improves throughput over high latency paths.

Linux

New: The addition of TCP generic segmentation offload (GSO) support to userspace mode improves throughput.

macOS

Note: macOS 10.15 Catalina is no longer supported. See the v1.60.0 changelog for our initial end of life announcement.

New: Notifications are sent when a captive portal is detected.
Fixed: Health warnings in the UI are now sorted by their severity level.
Fixed: Reliability of the authentication process when launching the web browser is improved.
Fixed: The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.

iOS

New: Notifications are sent when a captive portal is detected.
New: Health warnings are displayed when connectivity is impacted.
Fixed: An error message is displayed while attempting to start the VPN when both Wi-Fi and cellular interfaces are down, instead of failing silently.
Fixed: The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.

tvOS

New: Notifications are sent when a captive portal is detected.
Fixed: The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.

Android

New: Health warnings, if any are present, are displayed in the main view of the app.

Via in Access Control Previews

Thu, 15 Aug 2024 00:00:00 GMT

New: Access control policies using via are included in the Preview rules tab of the Access Controls page of the admin console.

Microsoft Entra ID SCIM GA

Tue, 13 Aug 2024 00:00:00 GMT

Changed: User & group provisioning for Microsoft Entra ID GA (generally available)
- Sync Microsoft Entra ID groups and users to use in your Tailscale ACLs.

Autogroups allowed as SSH source in ACLs

Thu, 08 Aug 2024 00:00:00 GMT

New: SSH src in ACL rules supports all role-based autogroups.

New device posture integrations

Fri, 02 Aug 2024 00:00:00 GMT

New: 1Password XAM is available as a device posture integration (beta)
New: Jamf Pro is available as a device posture integration (beta)
New: Kandji is available as a device posture integration (beta)
New: Microsoft Intune is available as a device posture integration (beta)
New: SentinelOne is available as a device posture integration (beta)

Control D integration

Thu, 25 Jul 2024 00:00:00 GMT

New: Control D DNS is available as a global nameserver in your tailnet.

New API endpoints

Mon, 22 Jul 2024 00:00:00 GMT

We have added the following endpoints to Tailscale's public API:

Tailscale Docker image v1.70.0

Mon, 22 Jul 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

New: Egress proxies specified by an FQDN now work also for IPv6-only network stacks.

Tailscale Kubernetes operator v1.70.0

Mon, 22 Jul 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

New: Egress proxies specified by an FQDN now work also for IPv6-only network stacks.
New: Tailscale Service status now includes a custom Tailscale proxy status condition.
New: Optionally record kubectl exec sessions.
Fixed: Cluster resources for failed egress proxies are now correctly cleaned up when the parent Service is deleted.

Tailscale tsrecorder v1.70.0

Mon, 22 Jul 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Fixed: tsrecorder now plays session recordings for interactive sessions initiated by a command that explicitly specifies shell.

Tailscale v1.70.0

Wed, 17 Jul 2024 00:00:00 GMT

All platforms

New: Restrict recommended and automatically selected exit nodes using the new AllowedSuggestedExitNodes system policy. Applies only to platforms that support system policies.
Changed: Improved NAT traversal for some uncommon scenarios.
Changed: Optimized sending firewall rules to clients more efficiently.
Fixed: Exit node suggestion CLI command now prints the hostname (which you can use with the tailscale set command).
Fixed: Taildrive share paths configured through the CLI resolve relative to where you run the tailscale command.

Linux

Fixed: Switching from unstable to stable tracks using the tailscale update command now works correctly.

Windows

New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
New: The new AllowedSuggestedExitNodes system policy restricts which exit nodes Tailscale recommends or automatically selects.
Fixed: DNS leak issue.
Fixed: Switching from unstable to stable tracks using the tailscale update command now works correctly.
Fixed: Taildrive server no longer starts unnecessarily when no drives are configured.

macOS

Note: As previously announced, Tailscale v1.70 is the last version to support macOS 10.15 Catalina. macOS 10.15 is no longer supported by Apple and no longer receives security updates. Users still running macOS 10.15 should update to a newer version of macOS to continue receiving security updates and new features.

New: Toggle Tailscale DNS from Siri or the Shortcuts app.
New: Receive health notifications in the client menu on macOS to inform you about lack of internet connectivity, firewalls blocking Tailscale, misconfiguration issues, and other issues. Health issues that affect connectivity also change the Tailscale icon in the system menubar to show an exclamation mark.
New: On MacBooks with a notch in the display, a notification window will now appear if the Tailscale icon is hidden behind the notch due to too many menubar items.
New: The Tailscale client now warns you when the built-in macOS content filter (Screen Time) prevents Tailscale from connecting.
New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
Changed: The exit node picker no longer presents exit node suggestions if the organization enforces always using the suggested exit node using the ExitNodeID system policy.
Fixed: Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
Fixed: Taildrive server no longer starts unnecessarily when no drives are configured.
Fixed: Increased the reliability of the Install Updates Automatically setting.

iOS

New: Toggle Tailscale DNS from Siri or the Shortcuts app.
New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
Fixed: wireguard-go memory pool deadlock issue is resolved.
Fixed: Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
Fixed: User interface no longer flickers when selecting an exit node.

tvOS

New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
Fixed: wireguard-go memory pool deadlock issue is resolved.
Fixed: User interface no longer flickers when selecting an exit node.

Android

New: Access ping information and connection status by long-pressing on a device in the devices list and selecting Ping.
New: Use split tunneling to force or exclude app traffic through your tailnet.
Fixed: wireguard-go memory pool deadlock issue is resolved.

Indent has shut down

Mon, 15 Jul 2024 00:00:00 GMT

New: Indent shut down their service effective July 15, 2024. If you were using Indent with your Tailscale network, migrate to another on-demand access system or Tailscale's just-in-time accessbot (alpha), or otherwise turn off your Indent integration with Tailscale.

Plan enrollment changes for new tailnets

Thu, 11 Jul 2024 00:00:00 GMT

New: The process for creating a new tailnet now asks you if the tailnet will be primarily used At work or At home. This determines whether to enroll the tailnet into a 14-day trial or the Personal plan. For more details, see the Tailscale quickstart topic.
Changed: Newly created tailnets using custom domains are no longer automatically enrolled in a trial. Instead, the At work or At home selection determines trial enrollment.

New API endpoints, OpenAPI spec, and interactive API docs

Wed, 10 Jul 2024 00:00:00 GMT

New: Access an OpenAPI spec for the Tailscale API. The spec is used to generate our new interactive documentation. Note that the spec definition may change without notice, so should not be relied upon for stability.
New: Access interactive documentation for the Tailscale API.

New API endpoints

We have added the following endpoints to Tailscale's public API:

Logging endpoints

New: Get log streaming status.
New: Get log streaming configuration.
New: Set log streaming configuration.
New: Disable log streaming.
Changed: Created a new endpoint for listing configuration audit logs. An earlier version of this endpoint is still supported for backwards compatibility.
Changed: Created a new endpoint for listing network flow logs. An earlier version of this endpoint is still supported for backwards compatibility.

Webhook management endpoints

Device posture endpoints

User management endpoints

New: List all users in the tailnet.
New: Get details about a specific user.
New: Update the role for a specific user.
New: Approve a pending user's access to the tailnet. This is only applicable to tailnets that have enabled user approval.
New: Suspend a user. Available for the Personal and Enterprise plans.
New: Restore a suspended user. Available for the Personal and Enterprise plans.
New: Delete a user. Available for the Personal and Enterprise plans.

User invite endpoints

Device invite endpoints

Contact preferences endpoints

New: List the tailnet's current contact preferences.
New: Update a tailnet contact.
New: Resend the verification email for a tailnet contact.

Automatically cleanup invites

Wed, 10 Jul 2024 00:00:00 GMT

New: Invite team member invites are now automatically deleted 90 days after the last welcome email was sent.

IP sets GA

Mon, 08 Jul 2024 00:00:00 GMT

Changed: IP sets GA (generally available)
- Use IP sets to target and manage cross-sections of your tailnet independently of other groupings like subnets, tags, and groups.

Via in grants

Mon, 08 Jul 2024 00:00:00 GMT

New: Use Via to add routing awareness to grants (beta).
- Define the exit nodes, subnet routers, or app connectors a source can access when they use a specific destination.

Tailscale v1.68.2

Tue, 02 Jul 2024 00:00:00 GMT

All Platforms

Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes signed by the same pre-signed reusable auth key.

macOS

Changed: Wake from sleep reliability is improved for re-connections and transitions between networks.

iOS

Changed: Wake from sleep reliability is improved for re-connections and transitions between networks.

Sync Google Workspace groups to use in your Tailscale ACLs

Tue, 25 Jun 2024 00:00:00 GMT

New: User & group provisioning for Google Workspace (beta)

Indent shutting down July 15, 2024

Fri, 21 Jun 2024 00:00:00 GMT

New: Indent has announced they are shutting down 12:00 PM PST July 15, 2024. If you are using Indent with your Tailscale network, migrate to another on-demand access system or Tailscale's just-in-time accessbot (alpha), or otherwise turn off your Indent integration by that time.

Tailscale Docker image v1.68.1

Thu, 20 Jun 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

New: UDP GRO forwarding can be turned on for containers configured as Tailscale subnet routers or exit nodes, using the new environment variable TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS. To learn more, see Performance best practices.
New: Containers that run on Kubernetes and store the tailscaled state in a Kubernetes Secret can now be enforced to read the Kubernetes API server address and port from the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT_HTTPS. By default, the values are read from the Kubernetes Service in the default namespace. To enforce the environment variables, set TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV to true.

Tailscale Kubernetes operator v1.68.1

Thu, 20 Jun 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

New: Tailscale Kubernetes operator proxies can now be configured to accept routes advertised by tailnet peers using the new proxyClass.spec.tailscale.acceptRoutes field. To learn more, see our ProxyClass documentation.
New: Images and image pull policies can be configured for individual Tailscale Kubernetes operator proxies using ProxyClass.
New: Connector Custom Resources status now includes the proxy's tailnet IP addresses and MagicDNS name.
Fixed: Helm values file now allows configuring image repositories using a repository key, which is a standard and expected by some tools.

Tailscale tsrecorder v1.68.1

Thu, 20 Jun 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

New: --state flag or the TS_STATE environment variable can be used to specify a Kubernetes Secret as tailscaled state store when deploying the tsrecorder container.
New: --dst flag for destination can be set as the environment variable TSRECORDER_DST when deploying the tsrecorder container.
New: --bucket flag for the S3 bucket name can be set as the environment variable TSRECORDER_BUCKET when deploying the tsrecorder container.
New: --hostname flag for the hostname can be set as the environment variable TSRECORDER_HOSTNAME when deploying the tsrecorder container.
New: --ui flag for the user interface can be set as the environment variable TSRECORDER_UI when deploying the tsrecorder container.
New: AWS ambient credentials can be used to access the S3 backend.

Tailscale v1.68.1

Fri, 14 Jun 2024 00:00:00 GMT

All Platforms

Fixed: 4via6 subnet router advertisement works as expected.

Linux

Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected.

Android

Fixed: Android TV navigation is improved.

Tailscale v1.68.0

Wed, 12 Jun 2024 00:00:00 GMT

All Platforms

New: Auto-updates are available for containers. The tailnet-wide default is ignored in containers.
New: When enabled, auto-updates get applied even if the node is down or disconnected from the coordination server.
Changed: tailscale lock status now prints the node's signature.
Changed: Go is updated to version 1.22.4.

Windows

Changed: .exe installer no longer downloads MSI packages for Windows 7 and Windows 8, automatically. See the v1.42.0 changelog for our initial end of life announcement.

macOS

New: Standalone variant of the client can now install a launcher for the Tailscale CLI in /usr/local/bin by going to Settings, CLI integration, then Show me how.
New: Standalone variant of the client now supports notifications when a file is received using Taildrop.
New: Pop-up notification displays when a network might be vulnerable to a potential TunnelVision attack. For more information, see TunnelVision vulnerability and Tailscale.
Changed: Client starts up more reliably if another VPN app is running when Tailscale is enabled.
Changed: .pkg installer terminates pre-existing copies of Tailscale and the VPN extension before proceeding with installation if Tailscale was already installed.
Fixed: TunnelBear installation is properly detected, and warns the user about incompatibility.
Fixed: Using Exit Node label no longer appears incorrectly in the app menu before completing onboarding, upon the first time app launch.
Fixed: Fixed a bug with split DNS domains being used as search domains after a network change.

iOS

Changed: Battery life is optimized by offloading DNS resolution to iOS in more cases.
Changed: Client now starts more reliably if another VPN app is running when Tailscale is enabled.
Fixed: Bug report view no longer copies the bug report ID to the clipboard automatically.
Fixed: Reauthenticate button for in-app key expiry notifications works as expected.
Fixed: Dark mode contains minor changes to UI colors.
Fixed: Fixed a bug with split DNS domains being used as search domains after a network change.

tvOS

Changed: Client now starts more reliably if another VPN app is running when Tailscale is enabled.
Fixed: Reauthenticate button for in-app key expiry notifications works as expected.

Android

Changed: On-off toggle state better matches the actual client state.
Changed: Status notifications when Tailscale is disconnected are now background notifications, and tapping on notifications launches the Tailscale app.
Changed: Client starts automatically after the first login.
Changed: System policy (MDM) support is added for mandatory exit nodes.
Fixed: Organization name is now rendered properly when set in the ManagedByOrganizationName system policy.
Fixed: Crashing no longer occurs when launching Tailscale and another VPN application was already running.
Fixed: Running an exit node no longer lets you use another device as an exit node and vice versa.
Fixed: Home screen shows the selected exit node country and city when using Mullvad exit nodes.

Note: The Tailscale client releases for containers such as the Kubernetes operator, Docker image, and tsrecorder are typically released a few days after the initial client release. A separate changelog will be published when client updates for containers are available.

Auto exit nodes

Thu, 30 May 2024 00:00:00 GMT

New: You can now automatically select a recommended exit node based on client information (such as location).

Exit node destination logging

Fri, 24 May 2024 00:00:00 GMT

New: Exit node destination logging can now be configured from the Network flow logs tab in the Logs page of the admin console.

Tailscale v1.66.4

Mon, 20 May 2024 00:00:00 GMT

All platforms

Fixed: Restored UDP connectivity through Mullvad exit nodes.

Linux

Changed: Stateful filtering is now off by default. Stateful filtering was introduced in 1.66.0 as a mitigation for a vulnerability described in TS-2024-005, and inadvertently broke DNS resolution from containers running on the host. Most vulnerable setups are protected by other mitigations already, except when autogroup:danger-all is used in ACLs.

Tailscale v1.66.3

Wed, 15 May 2024 00:00:00 GMT

Note: Tailscale v1.66.2 was an internal-only release.

All platforms

Fixed: Login URLs did not always appear in the console when running tailscale up.

Android

Changed: Reintroduced the Quick Settings title that v1.66.0 temporarily removed.
Changed: Improved the VPN service connection logic, especially when rebooting the device with Always-On VPN enabled.
Changed: The persistent VPN status notification now informs the user with a muted icon when the VPN is disconnected. VPN status notifications can be disabled in the system notification settings.
Fixed: The "Enable" button in the exit node selector banner now renders with the correct background color.

Kubernetes operator

Breaking change: Starting with v1.66, the Kubernetes operator must always run the same or later version as the proxies it manages.
New: Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names.
New: Expose tailnet services that use Tailscale HTTPS to cluster workloads. Refer to #11019.
New: Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names. Refer to #11019.
New: Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD. Refer to ProxyClass API.
New: Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD. Note that the tailscaled metrics are unstable and will likely change in the future. Refer to ProxyClass API.
New: Configure labels for the Kubernetes operator Pods with Helm chart values. Refer to Helm chart values.
New: Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass. Refer to ProxyClass API.
Fixed: Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #11867.

Containers

Fixed: Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is pre-created for the tailscaled state. Refer to #11326.
Fixed: Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right permissions to perform actions against the tailscaled state Secret. Refer to #11326.

Dark mode in the admin console

Wed, 15 May 2024 00:00:00 GMT

New: Use the Light, Dark, or Use system setting theme in the admin console by clicking the avatar menu on the top-right and selecting Appearance. The default theme is Use system setting.

Support for Amazon Fire devices

Fri, 10 May 2024 00:00:00 GMT

New: The Tailscale app for Android is now available in the Amazon Appstore for Amazon Fire TVs and tablets.

Tailscale v1.66.1

Thu, 09 May 2024 00:00:00 GMT

This release is exclusively for Linux platforms and the standalone variant of the macOS client. It is not available for other platforms.

Linux

New: tailscale set command flags --netfilter-mode, --snat-subnet-routes, and --stateful-filtering are added.
Fixed: Issue with nftables rules for stateful filtering, introduced in v1.66.0.

macOS

Fixed: A version mismatch warning no longer displays when upgrading, if no mismatch is detected.

ACL syntax updates

Wed, 08 May 2024 00:00:00 GMT

Changed: As part of a security fix to address an issue related to exit nodes and subnet routing (TS-2024-005), changes are made to ACLs.
- The meaning of * when used in the src field in ACLs has been changed. Previously, * expanded to include any IPv4 and IPv6 address. With this change, * expands to all Tailscale IP addresses and all IP addresses from approved subnet routes.
- The new autogroup:danger-all ACL type has been added, which matches the previous definition of * when used in the src field. If you are using default ACLs or have specified * in src, you don't need to make any ACL changes to get the new secure behavior.
- We recommend updating all Tailscale clients to v1.66 to benefit from the additional security improvements.

Tailscale v1.66.0

Wed, 08 May 2024 00:00:00 GMT

We recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements.

All platforms

New: Implemented client-side quarantining for shared-in exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.

Linux

New: Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for subnet routers and exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.

Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false command.

New: Use tab completion to type the first few letters of a Tailscale CLI command, flag, or arguments, followed by the tab key to complete the item being typed. Set up tab completion by using the tailscale completion command.
New: Use the tailscale exit-node suggest command to automatically pick an available exit node that is likely to perform best.
Changed: Site-to-site networking now also requires --stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false.

macOS

New: View a suggested exit node in the Exit Node picker when available.
New: Generate a macOS Configuration Report .txt file from the Bug Report view to help the Tailscale support team diagnose issues.
Changed: Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.

iOS

New: See direct vs. relayed connections in the Ping view.
New: View a suggested exit node in the Exit Node picker when available.
New: Use auth keys to log in without using the browser.
New: Search tagged devices by tag in the Devices list.
New: Remove accounts in the Fast User Switching view by using a long press, without having to log out.
Changed: Improved UI experience to log into a custom coordination server like Headscale.
Changed: The Fast User Switching view can now be used when Tailscale is disconnected.
Changed: Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
Changed: Reduced app launch time.

tvOS

New: Manage DNS configuration in the DNS Settings view.
New: Generate a bug report identifier by navigating to About Tailscale > Report an issue.
Changed: Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.

Android

We've rebuilt the Android app from the ground up, adopting a similar design that we've previously rolled out on iOS and using the latest Android best practices.

New: Use new status indicators to see at-a-glance insights into node connectivity. Tap on a node to see detailed information.
New: See detailed information about resolvers, domains, and routing configurations in a dedicated DNS Settings view.
New: See the status of Tailnet lock and node keys.
New: Use Fast user switching to switch between two or more logged-in accounts on the same device, without requiring you to re-authenticate.
New: Use auth keys to log in without using the browser.
New: Manage Android devices in your tailnet using Mobile Device Management (MDM) solutions such as Google Workspace, Microsoft Intune, or TinyMDM, among other tools.
New: Accessibility support.
New: Use dark mode as an alternative to light mode.
Changed: The Quick Settings tile has been temporarily disabled, pending resolution of an issue.
Changed: More intuitive behavior switching between exit nodes.
Fixed: Issue with LAN access during exit node use.

Device posture management GA

Wed, 01 May 2024 00:00:00 GMT

Changed: Device posture management GA (generally available)
- Use Device posture management to collect device properties and set device connectivity rules within your Tailscale network. Leverage Tailscale's integration with CrowdStrike to use Falcon Zero Trust Assessment (ZTA) scores to enable granular access control based on device health and security.

Manage split DNS in API and Terraform

Tue, 30 Apr 2024 00:00:00 GMT

New: The API can now read, update, and set split DNS.
New: The Tailscale Terraform provider can now manage split DNS.

Log streaming with Axiom

Tue, 23 Apr 2024 00:00:00 GMT

New: Log streaming integration with Axiom GA (generally available).
- Use Axiom for log streaming.

Windows OS versions in admin console

Mon, 22 Apr 2024 00:00:00 GMT

Changed: Windows machines in the admin console are now displayed using their marketing version number instead of their internal version number.

All identity providers available to everyone

Thu, 18 Apr 2024 00:00:00 GMT

Changed: Allowable identity providers are no longer limited by pricing plan. Any supported identity provider is available to all plans.

Tailscale v1.64.2

Wed, 17 Apr 2024 00:00:00 GMT

Windows

Changed: Installers are now built using WiX toolchain version 3.14.1.

Synology

Fixed: DiskStation Manager UI no longer freezes for a few minutes at startup when attempting to clean unused routes. This update is applicable to the version provided on pkgs.tailscale.com.

Changelog update

Mon, 15 Apr 2024 00:00:00 GMT

Changed: The Tailscale changelog has migrated to a new server. To prevent disruptions to RSS readers that subscribe to our changelog, we have limited the RSS feed to entries published on or after 2024-04-15. Existing RSS subscriptions should not lose access to older entries that have already been downloaded. The full changelog history is always available on our website

Share devices by email from the admin console

Mon, 15 Apr 2024 00:00:00 GMT

New: Share devices by sending emails directly from the admin console. The email will contain the invitation and instructions on how to accept the device share.