Changelog

Linux

• State file encryption and hardware attestation keys are no longer enabled by default.
• Failure to load hardware attestation keys no longer prevents the client from starting. This could happen when the TPM device is reset or replaced.

Windows

• State file encryption and hardware attestation keys are no longer enabled by default.
• Failure to load hardware attestation keys no longer prevents the client from starting. This could happen when the TPM device is reset or replaced.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

• Hardware attestation keys are no longer added to Kubernetes state Secrets, making it possible to change the Kubernetes node the Tailscale containers are deployed on.

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

• Certificate renewal is no longer done as an ARI order by default to avoid renewal failure if ACME account keys are recreated.
• Hardware attestation keys are no longer added to Kubernetes state Secrets, making it possible to change the Kubernetes node the Tailscale Kubernetes Operator is deployed on.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• Note: This version contains no changes except for library updates.

• The Tailscale API supports creating, reading, updating, and deleting federated identities.
• tailscale-client-go-v2 can configure federated identities.
• The Tailscale Terraform provider can configure federated identities.

• The Tailscale GitHub Action uses the correct architecture for storing and retrieving caches on macOS-based GitHub runners.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

• Ensure errors for background certificate renewal failures are logged.

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

• A Helm templating issue that occurred when an OAuth client secret was not set, is resolved.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

• iptables can be used on hosts that don't support nftables, as expected.

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

• The operator supports workload identity federation for authenticating to a tailnet using provider-native identity tokens.
• tailscale.com/http-redirect annotation can be applied to Ingress resources for enabling HTTP to HTTPS redirects.
• The operator defaults to using the stable image for nameservers deployed using the DNSConfig resource.
• Recorder resources can specify a replica count for highly available deployments. Using multiple replicas requires using an S3 storage backend.
• ArgoCD compatibility is improved. You can use both boolean and string values when setting the apiServerProxyConfig.mode and apiServerProxyConfig.allowImpersonation values.
• The operator correctly reconciles managed Ingresses sharing the same namespace as other unmanaged Ingresses.
• ProxyGroup backed ingresses no longer get stuck during deletion if they use a Tailscale Service that had been deleted.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• tsrecorder can use a file containing an auth key for authentication using the TS_AUTHKEY_FILE environment variable.

All platforms

• WireGuard configuration that occurs automatically in the client, no longer results in a panic.

macOS

• Tailscale system extension no longer fails to install during an upgrade.

Note: 1.92.0 was a release candidate intended for testing only.

All platforms

• Tailscale Funnel and Tailscale Serve support the PROXY protocol, a header format that forwards information about the original client connection, such as the source IP and port, to the server before the actual traffic begins.
• Tailscale Peer Relays can use static endpoints using the tailscale set command with the --relay-server-static-endpoints flag.
• Tailscale Services can be configured to use a remote target as a service destination.
• Nodes can authenticate using workload identity federation with the tailscale up command flags --client-id and --id-token.
• Network flow logs automatically record node information about itself and peers it communicates with.
• Tailnet Lock command tailscale lock log --json response returns Authority Update Messages (AUMs) in a more stable format.
• Tailscale Peer Relay endpoint advertisements include more candidate IP:port pairs.
• Tailscale Peer Relays support multiple, forward bind packets per handshake generation, which improves path selection and chances of completing a handshake.

macOS

• Redundant label text for VoiceOver is removed from the exit node picker.

iOS

• Taildrop supported nodes are shown in Device Details.
• Redundant label text for VoiceOver is removed from the exit node picker.

macOS

• Taildrop works as expected using the macOS Share option.

Android

• An issue in custom control servers (Headscale) that could result in connectivity problems is resolved.

All platforms

• tailscaled no longer deadlocks during event bursts.
• The client no longer hangs after wake up when port mapping is in use and interfaces are slow to become available.

Android

• DNS continues working when switching from cellular to Wi-Fi connections.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

• tailscaled no longer deadlocks during event bursts.
• The client no longer hangs after wake up when port mapping is in use and interfaces are slow to become available.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Note: This version contains no changes except for library updates.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Note: v1.90.7 was an internal-only release.

All platforms

• Panic issue related to Peer Relays is resolved.
• Deadlock issue no longer occurs when handling Peer Relays endpoint allocation requests.
• Memory leak in Peer Relays is resolved.

Linux

• Nodes without the tailscaled --statedir flag or the TS_STATE_DIR environment variable no longer fail to enforce signing checks in tailnets with Tailnet Lock enabled. This fix addresses a security vulnerability described in TS-2025-008.

macOS

• Connectivity issue related to sleep and wake is resolved.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

• Nodes without the tailscaled --statedir flag or the TS_STATE_DIR environment variable no longer fail to enforce signing checks in tailnets with Tailnet Lock enabled. This fix addresses a security vulnerability described in TS-2025-008.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Note: This version contains no changes except for library updates.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

• The domain log.tailscale.com resolves to static IP address ranges registered and managed by Tailscale. If IP-based rules are required for your firewall, use the IPv4 range 199.165.136.0/24 and the IPv6 range 2606:B740:1::/48.

Note: In most cases, you do not need to configure firewall rules to use Tailscale. For more information, refer to What firewall ports should I open to use Tailscale?

App connectors

• Routes no longer stall and fail to apply when updated repeatedly in a short period of time.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

• App connector routes no longer stall and fail to apply when updated repeatedly in a short period of time.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Note: This version contains no changes except for library updates.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Linux

• Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This affected tailnets that use Tailscale SSH recording.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

• DNSConfig nameserver supports Pods with IPv6 addresses and will serve AAAA records.
• DNSConfig nameserver supports specifying a replica count for high-availability deployment.
• DNSConfig nameserver supports specifying pod tolerations.
• ProxyClass now supports the dnsConfig and dnsPolicy fields for refined DNS specifications.
• Reconciler logs are now sent to the Tailscale control plane in addition to the core client logs that are already sent. As before, this can be disabled by setting the TS_NO_LOGS_NO_SUPPORT environment variable to true within the operator deployment.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• tsrecorder is updated with web interface search, filtering, and enhanced design. The web interface supports freeform text search for corresponding metadata such as user ID, date, and invoked commands.
• kubectl exec sessions record as expected.
• Cached recordings on large datasets no longer fail if the caching process exceeds one minute.
• Recordings are no longer stopped when a session exceeds one minute.

• Use workload identity federation (beta) for creation of federated OIDC workload identities from third-party providers to authenticate requests to the Tailscale API.
• tailscale-client-go-v2 can use workload identity federation for authentication.
• The Tailscale Terraform provider can use workload identity federation for authentication.
• The Tailscale GitHub Action can use workload identity federation for auth key generation.
• The tailscale up command can use workload identity federation for auth key generation.
• OAuth client scopes and descriptions are editable in the Trust credentials page of the admin console.
• The Trust credentials page of the admin console replaces the OAuth clients page.

• Administer multiple tailnets (alpha) under a single organization, using a common identity provider and domain.

• Use Tailscale Peer Relays for client-to-client connections when direct connections aren't possible (beta).

• Use the visual policy editor to create and manage your tailnet policy file (generally available).

All platforms

• A deadlock issue no longer occurs in the client when checking for the network to be available.

Linux

• tailscaled no longer sporadically panics when a Trusted Platform Module (TPM) device is present.

Windows

• tailscaled no longer sporadically panics when a Trusted Platform Module (TPM) device is present.

WASM

• The JS/WASM client used by tsconnect no longer crashes unexpectedly.

• Use Tailscale Services to decouple applications and services from the devices that host them (beta).

All platforms

• tailscaled shuts down as expected and without panic.

Linux

• tailscaled starts up as expected in a no router configuration environment.

macOS

• The Tailscale dock icon closes as expected when the client is not using the windowed UI (beta).

FreeBSD

• tailscaled starts up as expected in a no router configuration environment.

OpenBSD

• tailscaled starts up as expected in a no router configuration environment.

Linux

• An iptables regression on non-amd64/arm64 platforms is resolved, and the client starts as expected.
• Running Tailscale on devices equipped with Trusted Platform Module (TPM) 1.x no longer causes the tailscaled daemon to fail.

• The Tailscale GitHub Action stops the background Tailscale processes when a CI job finishes.
• The Tailscale GitHub Action validates that tags are specified when using an OAuth client.

Note: 1.90.0 was a release candidate intended for testing only.

All platforms

• Clients can use configured DNS resolvers for all domains even when the client also uses an exit node using the nameserver settings in the DNS page of the admin console.
• Node keys will be renewed seamlessly, so clients will maintain existing connections while re-authenticating.
• Go is updated to version 1.25.3.
• Unnecessary path discovery packets over DERP servers are suppressed.

Linux

• Node key sealing is GA (generally available) and enabled by default. Existing nodes will migrate to node key sealing automatically on upgrade. For more information, including how to opt out, refer to Secure node state storage.

Windows

• Node key sealing is GA (generally available) and enabled by default. For more information, refer to Secure node state storage.

macOS

• The Hide Dock Icon checkbox located in Settings lets you remove the Tailscale icon from the macOS dock when the client window is closed.
• The tailscale drive CLI command for sharing Taildrive directories is no longer available. Use the client GUI for sharing directories instead.
• Node key sealing is GA (generally available) and enabled by default. For more information, refer to Secure node state storage.
• Exit node selection using the macOS Shortcuts app work as expected.
• Accounts displayed using the macOS menu bar Tailscale icon load as expected.
• Client users preference for automatic/recommended exit node selection is remembered as expected.

iOS

• Exit node selection using the iOS Shortcuts app work as expected.
• Client users preference for automatic/recommended exit node selection is remembered as expected.

Android

• Client is able to establish direct connections as expected.

Note: For more in-depth details about all the tailnet names and types, refer to Tailnet name types.

• The Display name field is added to the Settings > General page of the admin console. This is an optional field that lets you assign a custom display name to your tailnet that appears in the admin console, client UI, and client CLI, instead of your domain or email address.
• The Tailnet ID field is added to the Settings > General page of the admin console. This string should be used in the tailnetId field for Tailscale API path parameters instead of your organization name.
• The Organization field in Settings > General page of the admin console is renamed Legacy ID. This field will continue to display for existing tailnets but will not display for newly created tailnets.

• The Tailscale GitHub Action no longer logs the output of all shell commands to the runner's console unless debug logging is enabled.
• The Tailscale GitHub Action masks authentication secrets in logs unless debug logging is enabled.

macOS

• The macOS Firewall system setting Block all incoming connections no longer causes intermittent connectivity disruptions when enabled.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

• The Tailscale GitHub Action no longer logs the output of the tailscale status command to the runner's console.

• The Tailscale GitHub Action supports a ping parameter to verify connectivity to tailnet devices.
• The Tailscale GitHub Action logs out the Tailscale ephemeral node at the end of the CI run, removing it from the tailnet immediately.
• The Tailscale GitHub Action is implemented as a JavaScript action and requires runners that are capable of installing Node.js 24.
• Caching of Tailscale binaries is enabled by default.
• DNS resolvers are properly set on macOS. Previously, attempting to reach devices using their full domain of the form my-node.my-tailnet.ts.net would fail due to incorrect DNS settings.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Note: This version contains no changes except for library updates.

• Preset apps are available for Amazon AWS services such as Amazon CloudFront, Amazon EC2, and Amazon S3, Salesforce (Hyperforce), and Microsoft 365.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

• Use autogroup:self as a destination for any grant, ACL, or SSH src that includes autogroup:<role>, groups, or individual users in the tailnet policy file.

• The Read and List endpoint responses in the Devices API include a connectedToControl flag, which indicates whether the device has recently connected to the Tailscale control server.
• The lastSeen field is included only when connectedToControl is false.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Note: This version contains no changes except for library updates.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

All platforms

• Control plane connection issues which might have resulted in timing out during retries.

macOS

• Taildrive list of devices loads as expected when selecting File Sharing > Choose Shared Folders.

iOS

• The UI and device list display as expected when initially connecting to the tailnet.

OpenBSD

• The client starts as expected when using the tailscale up command for the first time or re-authenticating a node.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

• Kubernetes sidecars no longer error on first run if their state Secret doesn't exist.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

• ProxyClass resources supports setting a priorityClassName for created Pods.
• Connector resources can specify multiple replicas for highly available subnet routers, app connectors, and exit nodes.
• DNSConfig resource works as expected for egress ProxyGroups.
• Multi-cluster ingress devices no longer display an erroneous "Invalid certificate" message in the Machines page of the admin console.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

macOS

• The Settings button displays correctly when no account is logged in to the client.
• UserDefaults, which apps and system policies use to store and read preferences, force string values like true or 1 into Booleans as expected.

iOS

• UserDefaults, which apps and system policies use to store and read preferences, force string values like true or 1 into Booleans as expected.

Note: v1.88.0 was an internal-only release.

All platforms

• Tailscale CLI prompts users to confirm with y/n before proceeding with impactful actions.
• Go is updated to version 1.25.1.
• Tailscale SSH works as expected when using an IP address instead of a hostname and MagicDNS is disabled.
• Taildrive folder sharing works correctly even when the su command is not present on the Linux or other Unix-like host.
• Taildrive files remain consistently accessible.

Linux

• The system tray application for Linux desktops can be enabled to display some of the GUI options available in other Tailscale clients, including fast user switching and exit node selection.

Windows

• The existing ExitNodeID=auto:any system policy supports the new ExitNode.AllowOverride policy option that lets users select a different exit node while still requiring exit node usage.

macOS

• The existing ExitNodeID=auto:any system policy supports the new ExitNode.AllowOverride policy option that lets users select a different exit node while still requiring exit node usage.
• Windowed UI mode (beta) provides an updated client experience. To test, go to the Settings page of the admin console and toggle Redesigned macOS Client UI. Once enabled, all macOS clients display the new interface.
• UseSystemProxy default setting to indicate whether Tailscale respects proxy settings defined in System Settings.
• advertiseExitNode system policy is available on macOS.
• macOS 12 is the minimum supported version.
• Automatic recommended exit node selection.
• UI improvements for iOS 26 and macOS 26 compatibility.

iOS

• UI improvements for iOS 26 and macOS 26 compatibility.

QNAP

• New QNAP builds are available again. At the time of this release, you can manually download the update from our packages site. After a period of time, the update will also be available in QNAP App Center.

• The IPv4 and IPv6 addresses for the Singapore DERP servers have changed. If you use custom firewall settings that rely on these addresses specifically, refer to the information in our DERP map and make the necessary updates. Otherwise, no action is required.

• The IPv4 and IPv6 addresses for the Tokyo DERP servers have changed. If you use custom firewall settings that rely on these addresses specifically, refer to the information in our DERP map and make the necessary updates. Otherwise, no action is required.

• The IPv4 and IPv6 addresses for the Sydney DERP servers have changed. If you use custom firewall settings that rely on these addresses specifically, refer to the information in our DERP map and make the necessary updates. Otherwise, no action is required.

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

• DNS lookup errors that occur when routing traffic for a ProxyGroup of type kube-apiserver while running the API server proxy in high-availability mode.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

• The IPv4 and IPv6 addresses for the São Paulo DERP servers have changed. If you use custom firewall settings that rely on these addresses specifically, refer to the information in our DERP map and make the necessary updates. Otherwise, no action is required.

Note: v1.86.3 was an internal-only release.

macOS

• EncryptState system policy changes are applied without needing to restart the system extension.
• Startup crash on a fresh install of the Standalone variant of the client when the EncryptState system policy is enabled.

Android

• Persistent notifications about the Taildrop directory picker. The notification only displays on the first attempt to use the feature.

• Use the visual policy editor to manage your tailnet policy file (beta).

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: We previously referred to this as the Tailscale Docker image and now refer to it more generically as the Tailscale container image.

• Improved direct connectivity to ProxyGroup Pods by using external node IP addresses as static endpoints.
• Pod-specific state is cleared on start when running in Kubernetes.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

• The first release of Tailscale Kubernetes proxy is available.
• Record kubectl attach and kubectl debug sessions to tsrecorder.
• Helm chart outputs suggests next steps after installation.
• ProxyGroup type kube-apiserver for running the API server proxy in a high-availability mode.
• ProxyClass can use annotations instead of labels. We recommend using annotations, but labels will continue to work.
• Custom Ingress class names are supported instead of the default tailscale class name.
• Static cluster IP for DNSConfig nameservers.
• Improved direct connectivity to ProxyGroup Pods by using external node IP addresses as static endpoints.
• Tags passed to Tailscale Kubernetes Services are validated using tailscale.com/tags annotation to validate ACL tags.
• Kubernetes operator validates that a cluster does not contain more than one Tailscale Kubernetes Service that refers to the same Tailscale Service.
• Reliability of ProxyGroup proxies when updated and restarted.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Note: v1.86.1 was an internal-only release.

All platforms

• A deadlock issue that may have occurred in the client.
• An occasional crash when establishing a new port mapping with a gateway or firewall.

macOS

• Issue preventing the reading of existing state files that may have required device re-approval if device approval is enabled on the tailnet.
• A spurious warning about uninstalling the system extension when upgrading the client.
• tailscale syspolicy CLI command output displays correctly when the KeyExpirationNotice or ReconnectAfter system policies are configured.

Windows

• tailscale syspolicy CLI command output displays correctly when the KeyExpirationNotice or ReconnectAfter system policies are configured.

Note: Tailscale halted the rollout of version 1.86.0 for macOS on July 25, 2025, and for all other platforms on July 28, 2025, due to multiple regressions.

All platforms

• tsStateEncrypted device posture attribute for checking whether the Tailscale client state is encrypted at rest.
• Cross-site request forgery (CSRF) issue that may have resulted in a log in error when accessing the web interface.
• Hostnames are verified as expected when using CONNECT HTTPS proxy to connect to the control plane.
• Recommended exit node when the previously recommended exit node is offline.

Linux

• tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any CLI commands track the recommended exit node and automatically switches to it when available exit nodes or network conditions change.
• tailscaled CLI command flag --encrypt-state encrypts the node state file on the disk using trusted platform module (TPM).

Windows

• tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any CLI commands track the recommended exit node and automatically switches to it when available exit nodes or network conditions change.
• EncryptState system policy enforces storing the node state file in encrypted format on disk using trusted platform module (TPM).
• Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switch to it when available exit nodes or network conditions change.
• AlwaysOn system policy is enforced as expected.
• System tray icon display a notification when the selected exit node is unavailable.
• Mullvad exit node picker hides after switching from a profile with Mullvad exit nodes to one without any exit nodes.
• WDAP/PAC proxy detection on Windows 10 1607 and earlier to ensure successful connectivity when a proxy is required.

macOS

• tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any CLI commands track the recommended exit node and automatically switches to it when available exit nodes or network conditions change.
• ReconnectAfter system policy setting, which configures the maximum period of time between a user disconnecting Tailscale and the client automatically reconnecting.
• EncryptState system policy enforces storing the node state file in the Keychain. The App Store variant of the client always uses the Keychain regardless of this setting.
• OnboardingFlow system policy enforces the suppression of the onboarding flow that displays when the client is installed. This replaces the deprecated TailscaleOnboardingSeen system policy.
• Remove all accounts option in the Debug menu.
• TailscaleOnboardingSeen system policy is deprecated. Use the new OnboardingFlow system policy instead.
• Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switch to it when available exit nodes or network conditions change.
• AlwaysOn system policy is enforced as expected.
• Shortcut action issues.

iOS

• Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switches to it when available exit nodes or network conditions change.
• Reset keychain option issues.
• Shortcut action issues.
• Taildrop resending issues.

tvOS

• Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switch to it when available exit nodes or network conditions change.

• Securely connect private data sources to Grafana Cloud with Tailscale (beta).

• The domains login.tailscale.com, controlplane.tailscale.com, and api.tailscale.com resolve to static IP address ranges registered and managed by Tailscale. If IP-based rules are required for your firewall, use the IPv4 range 192.200.0.0/24 and the IPv6 range 2606:B740:49::/48.

Note: In most cases, you do not need to configure firewall rules to use Tailscale. For more information, refer to What firewall ports should I open to use Tailscale?

Note: The Tailscale v1.84.3 client release includes fixes for Android TV only, and is exclusively released for Android TV.

Android TV

• Internal issue.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

• The Tailscale GitHub Action works on headless Windows-based runners for systems that do not have a graphical desktop environment. Previously, running tailscale up would fail on systems such as Windows 11 Arm64 due to the missing --unattended argument required to enable unattended mode.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

• Issue in high availability (HA) ingress that prevents the Ingress proxies from issuing TLS certificates on initial startup.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

• Tailnet Lock GA (generally available)
  • Use Tailnet Lock to require your tailnet to verify new node keys distributed by the coordination server before trusting them.

Windows

• This release is signed with a new code signing certificate. The certificate subject and issuer remain unchanged, but the certificate has a new serial number.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repository.

• Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted from stricter CLI arguments parsing introduced in Tailscale v1.84.0.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

• Explicitly specify protocol for Tailscale Services backing HA Ingress.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

• App connectors GA (generally available)
  • Secure your software as a service (SaaS) application connections to your tailnet with app connectors.

• Policy file management page in the admin console. Use the Policy file management page to prevent accidental policy file changes.
• Use the External reference section in the Policy file management page to specify the URL for your GitOps for Tailscale repository.
• We deprecated the GitOps code comment technique for specifying the URL for your GitOps for Tailscale repository. Use the Policy file management page in the admin console instead. If you use both the Policy file management page and the code comment technique, the Policy file management setting has precedence.

macOS

• DNS drops when changing networks.

iOS

• Setting to toggle subnet routing.
• Issue where Taildrop notifications may not be presented.
• Issue where subnet routing would default to off.

Android

• Issue where Mullvad nodes may be listed as tailnet devices.
• Issue where subnet routing would default to off.
• Present a modal dialog that explains why you are prompted to select a directory.

• Use grants to define unified network and application layer access controls (generally available).
  • Note: The default tailnet policy file now uses grants syntax instead of the original ACL syntax, but makes no changes to the effective permissions. This applies to all new tailnets and any tailnet policy file that has never been edited.
• Use via to control how traffic routes from a source to a destination, such as through specific exit nodes, subnet routers, or app connectors (generally available).

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

• Tailscale Ingress resource supports high availability (HA) mode and multiplexing by using a ProxyGroup. You can expose an Ingress resource to a tailnet by using multiple active proxy replicas (Pods). You can multiplex multiple Ingress resources on the same set of proxy Pods.

• Tailscale Kubernetes Services support HA mode and multiplexing. You can expose a cluster app to a tailnet by using multiple active network layer proxy Pods to help prevent downtime. You can expose multiple apps to a tailnet on the same set of proxy Pods.

• Tailscale Ingress supports exposing applications deployed across multiple clusters (multi-cluster Ingress) to the tailnet.

• Pods deployed for a Recorder resource can use AWS IAM Roles for Service Accounts (IRSA) instead of static Amazon S3 credentials by configuring the created ServiceAccount object's name and annotations.

• Tailscale Kubernetes Services support exposing to tailnet applications that are deployed across multiple clusters (multi-cluster Service).

• Tailscale Kubernetes operator needs to watch EndpointSlice objects at cluster scope, to ensure failover for multi-cluster Service and Ingress resources in cases where there are no healthy backends in one of the clusters.

• The Kubernetes Operator will default any path left unset on an Ingress resource to the / path.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

All platforms

• The --reason flag is added to the tailscale down command.
• Tailscale CLI commands throw an error if multiple of the same flag are detected.
• Network connectivity issues when creating a new profile or switching profiles while using an exit node.

Linux

• DNS-over-TCP fallback works correctly with upstream servers reachable only via the tailnet.

Windows

• AlwaysOn.Enabled and AlwaysOn.OverrideWithReason policy settings, which enable and configure a Tailscale client mode where the client stays connected at all times, unless an exception applies.
• ReconnectAfter policy setting, which configures the maximum period of time between a user disconnecting Tailscale and the client automatically reconnecting.
• When Always On mode is enabled, Tailscale connects as soon as a user signs in to the device and stays connected, regardless of whether the GUI is running. This enables access to tailnet resources, such as network-mapped drives, earlier in the sign-in process, and can also be used on headless Windows environments.
• EnableDNSRegistration policy setting, which configures whether Tailscale IP addresses should be registered with Active Directory DNS.
• The Tailscale GUI starts for all signed-in users when the client is installed.
• DNS-over-TCP fallback works correctly with upstream servers reachable only via the tailnet.
• Issue where the Tailscale GUI would not start if the client was installed via Group Policy or mobile device management (MDM) while a user was already signed in.
• Issue where the Tailscale GUI did not auto-start after a client update.

macOS

• AlwaysOn.Enabled and AlwaysOn.OverrideWithReason policy settings, which enable and configure a Tailscale client mode where the client stays connected at all times, unless an exception applies.
• ForceEnabled policy setting is deprecated in favor of the AlwaysOn policy setting.
• DNS-over-TCP fallback works correctly with upstream servers reachable only via the tailnet.
• Tailscale automatically recreates and/or reactivates its VPN configuration on start.
• Occasional crash in client during engine updates.
• Taildrop share sheet displays the correct error page when the tunnel is not connected.
• Hostname detection is improved in macOS clients running on macOS v15.x.
• Client (GUI) logs are properly captured and recorded in bug reports.

iOS

• AlwaysOn.Enabled and AlwaysOn.OverrideWithReason policy settings, which enable and configure a Tailscale client mode where the client stays connected at all times, unless an exception applies.
• ForceEnabled policy setting is deprecated in favor of the AlwaysOn policy setting.
• Taildrop share sheet displays the correct error page when the tunnel is not connected.
• Tailscale automatically recreates and/or reactivates its VPN configuration on start.
• Client (GUI) logs are properly captured and recorded in bug reports.
• Occasional crash in client during engine updates.

tvOS

• Tailscale automatically recreates and/or reactivates its VPN configuration on start.
• Client (GUI) logs are properly captured and recorded in bug reports.
• Occasional crash in client during engine updates.

Android

• ReconnectAfter policy setting, which configures the maximum period of time between a user disconnecting Tailscale and the client automatically reconnecting.
• Issue where Tailscale was disconnecting after excluding apps via split tunneling.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Note: This version contains no changes except for library updates.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

Note: This version contains no changes except for library updates.

• The Keys management APIs and Terraform Provider support managing OAuth clients programmatically.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

• We made a change to how device posture integrations are scheduled, prioritizing syncing of attributes for new nodes. Tailnets that use device posture integrations should see third-party attributes populated for new nodes faster than before.

• The ACL editor in the Access Controls page of the admin console supports code folding, improving usability when navigating and managing large tailnet policy files. Collapse and expand sections like hosts and groups for a cleaner editing experience.

All platforms

• A panic issue related to CUBIC congestion control in userspace mode is resolved.

macOS

• The VPN approval message during the client installation displays as expected.
• An issue related to the reachability of upstream DNS servers with loopback IPs is resolved.

Windows

• A service panic issue on the 32-bit version of Windows 10 is resolved.

Note: Tailscale v1.82.4 includes fixes for Android devices only, and is exclusively released for Android. Tailscale v1.82.2 and v1.82.3 were internal-only releases.

Android

• An issue that might have resulted in the Tailscale app crashing on devices running versions earlier than Android 13 is resolved.

• Use the Tailscale GitHub Action on macOS and Windows runners (generally available). For more information, see the topic Tailscale GitHub Action.
• The Tailscale GitHub Action supports caching Tailscale binaries when the use-cache input is set to 'true'.

v0.19.0 of the Tailscale Terraform Provider has been released with the following changes:

• tailscale_logstream_configuration resource supports configuring uploadPeriodMinutes and compressionFormat.

• Use Tailscale Kubernetes Operator session recording to record kubectl exec session contents when using the Kubernetes API server proxy (beta).

• Tailscale Kubernetes Operator GA (generally available).
  • Use the Kubernetes Operator to integrate Tailscale with Kubernetes clusters.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

• Alpine image is updated to version 3.19.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

• Ingress TLS certificates can be issued from Let's Encrypt's staging environment to avoid bumping into rate limits during initial setup. See our GitHub documentation on ProxyClass APIs to learn more.
• Alpine image is updated to version 3.19.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Note: v1.82.1 includes fixes for Android devices only, and is exclusively released for Android.

Android

• Device search is available on Android TV running Android 13 or later.
• Enhanced device search UI is available on all devices running Android 13 or later.

All platforms

• DERP functionality within the client supports certificate pinning for self-signed IP address certificates for those unable to use Let's Encrypt or WebPKI certificates.
• Go is updated to version 1.24.1
• NAT traversal code uses the DERP connection that a packet arrived on as an ultimate fallback route if no other information is available, in the event of a slow or misbehaving server.
• Captive portal detection reliability is improved on some in-flight Wi-Fi networks, including British Airways and WestJet.
• Port mapping success rate is improved by retrying in additional error cases.
• Web interface setting changes occur as expected and without error.

macOS

• The .pkg installer size is decreased by 35%.
• Memory leak issue related to shortcuts is resolved.
• MagicDNS intermittent configuration failures no longer occur when waking from sleep.
• Seamless key renewals occur as expected, ensuring the client remains connected.

iOS

• Memory leak issue related to shortcuts is resolved.
• MagicDNS intermittent configuration failures no longer occur when waking from sleep.

Android

Note: The Android client release for v1.82.0 was delayed and moved into the v1.82.1 client release instead.

App connectors

• Port mapping success rates for app connectors are improved.

• The Tailscale GitHub Action supports running on Windows runners (beta).
• The Tailscale GitHub Action supports running on macOS runners (beta).

• An issue related to admin console sessions remaining active longer than the configured console session inactivity timeouts (TS-2025-001).

• Helsinki is added as a DERP region.

• Promo codes can be applied when upgrading to a Tailscale paid plan in the Billing page of the admin console. While upgrading your plan, go to the Upgrading to section and select Apply promo code. For more information, see Pricing & Plans FAQ.

Linux

• Web interface setting changes occur as expected and without error.

App connectors

• App connectors respond to DNS queries and update routes without failure. Previously, DNS resolution failures may have occurred due to a routing deadlock issue.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Note: This version contains no changes except for library updates.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

Note: This version contains no changes except for library updates.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

v0.18.0 of the Tailscale Terraform Provider has been released with the following changes:

• The tailscale_logstream_configuration resource can now manage streaming to Amazon S3 and S3-compatible services
• The tailscale_tailnet_key resource can now be imported.
• Added a reset_acl_on_destroy property to the tailscale_acl resource which optionally allows for resetting the Tailscale policy file to its default when the resource is destroyed.

• Ashburn and Nuremberg are added as DERP regions. We added them December 5, 2024, and apologize for the late notice.

All platforms

• Nodes could lose the display names of owners of peers in rare cases. This had manifested in missing names in tailscale status and could prevent incoming Tailscale SSH connections from being accepted. The behavior is reverted to that of v1.78.x and earlier.

Linux

• SSH clients that skip the none auth method and immediately try publickey can connect to Tailscale SSH as expected. The behavior is reverted to that of v1.78.x and earlier.

macOS

• SSH clients that skip the none auth method and immediately try publickey can connect to Tailscale SSH as expected. The behavior is reverted to that of v1.78.x and earlier.

FreeBSD

• SSH clients that skip the none auth method and immediately try publickey can connect to Tailscale SSH as expected. The behavior is reverted to that of v1.78.x and earlier.

• Use ip:country as a geolocation device posture attribute (generally available).

macOS

• System extension uninstalled message no longer appears erroneously when removing third-party system extensions while Tailscale is running.
• Resolved an issue that could have caused the network extension to crash in rare cases while parsing the macOS routing table.

iOS

• Resolved an issue that could have caused the network extension to crash in rare cases while parsing the iOS routing table.

tvOS

• Resolved an issue that could have caused the network extension to crash in rare cases while parsing the tvOS routing table.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

• TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.
• Tailscale Funnel configuration on devices displays errors when incoming connections are not permitted and connections are disallowed.
• Tailscale Funnel disabled on a device no longer displays as enabled in the admin console.
• Serve config provided using the TS_SERVE_CONFIG environment variable successfully loads for tailnets with HTTPS disabled, as long as the serve config does not define an HTTPS endpoint.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

• The optional ServiceMonitor created for the proxy metrics endpoints can be labelled with user-specified labels.
• Proxies created for the Kubernetes Operator dynamically reload the tailscaled configuration when it has changed. Changes such as a hostname might mean slightly slower change propagation (up to a minute), but less downtime.
• TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.
• Improved failover for egress ProxyGroup replicas. Replica restarts no longer cause downtime for cluster workloads that access tailnet targets using egress ProxyGroup.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.

All platforms

• Hostname system policy is added for overriding the device hostname configured by the operating system, using an MDM solution.
• tailscale configure CLI command and corresponding subcommands are no longer in alpha, except for the subcommand kubeconfig, which remains in alpha.
• Web interface displays a Login button instead of the Reauthenticate button when adding a new device to your tailnet.
• Tailscale Funnel configuration on devices displays errors when incoming connections are not permitted and connections are disallowed.
• Connections to a custom coordination server that does not support HTTPS will no longer fail when a custom port number is specified.

Linux

• TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.
• Tailscale Funnel disabled on a device no longer displays enabled in the admin console.

Windows

• Onboarding flow is added for easier initial setup of the app.
• TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.
• Client installs as expected when using Group Policy Software Installation (GPSI).
• Race conditions that result in an incorrect state or a deadlock no longer cause issues when multiple Windows users are logged in simultaneously.

macOS

• configure sysext activate, configure sysext deactivate, and configure sysext status CLI commands are added to the Standalone variant for managing the activation flow of the macOS system extension programmatically.
• Standalone variant detects if the system extension is manually disabled or uninstalled by the user and displays a notice in the client UI.
• Flush DNS Cache option is added to the Debug menu.
• TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.
• App preferences re-set configures Use Tailscale Subnets to On and Allow Incoming Connections to Off as these are the default settings.
• Find Devices shortcut action no longer hangs.
• Standalone variant works as expected when users are not members of staff macOS user group.

iOS

• Auth keys can be used for connecting to a custom coordination server.
• VPN extension no longer runs when logging out.
• Find Devices shortcut action no longer hangs.

tvOS

• Auth keys are supported for authenticating an Apple TV in your tailnet.
• Auth keys can be used for connecting to a custom coordination server.
• VPN extension no longer runs when logging out.

Android

• Devices can be configured as a subnet router in the Settings menu of the app.

• When a user changes their GitHub username used to authenticate to a GitHub personal tailnet, upon next Tailscale login their tailnet name will automatically be renamed. This is a change from the previous behavior, which required the user to file a request with the Tailscale support team to rename the tailnet.

• Use 4via6 subnet routers to route traffic when you have existing subnets with overlapping IPv4 addresses (generally available).

• Use auto approvers to auto-approve advertised subnet routes and exit nodes (generally available).

• Configure different NextDNS profiles for different devices using nodeAttrs (generally available).

• Download invoices for your Tailscale account in the Billing page of the admin console (generally available).

• Use fast user switching to quickly switch between two or more logged-in accounts on the same device, without requiring you to re-authenticate (generally available).

• Stream configuration audit logs to Amazon S3 and S3-compatible services (generally available).

• Stream network flow logs to Amazon S3 and S3-compatible services (generally available).

• Use different NextDNS profiles for different devices (generally available).

• GitHub secret scanning supports detecting and revoking leaked Tailscale secrets.

Note: Tailscale v1.78.2 was an internal-only release.

Containers

• Unit test that would previously fail if run in a container.

iOS

• Advanced DNS Settings view unexpectedly dismissed on iPhone.

Android

• Work in progress search bar is hidden behind a flag until the feature is ready.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

• A nil pointer exception when serve config is provided via the TS_SERVE_CONFIG environment variable.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

Note: This version contains no changes except for library updates.

• The Mullvad exit nodes add-on can be purchased for tailnets that are in trial mode.

Note: Purchasing the Mullvad exit nodes add-on for your trial tailnet will result in changes requiring action. For more information, see the Pricing & Plans FAQ topic.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

• Device posture integrations GA (generally available)
  • Restrict device access with Tailscale device posture management and additional GA integrations: Jamf Pro, Kandji, Microsoft Intune, and SentinelOne.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

• All Tailscale container images are annotated with Open Container Initiative (OCI) annotations.
• Clients should more accurately detect whether they are in a container when checking for updates.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

• Tailscale client metrics can be enabled using a ProxyClass with the .spec.metrics.enable field set.

• All Tailscale container images are annotated with Open Container Initiative (OCI) annotations.

• ProxyClass supports configuring topology spread constraints for the Proxy Pods.

• Connector Custom Resource Definition (CRD) can be used to configure the Kubernetes Operator to deploy a Tailscale app connector on Kubernetes.

• Tailscale running on Kubernetes and using a Kubernetes Secret as a state store writes Kubernetes Events to its Pod when changes occur to the state stored in the Kubernetes Secret. The same is true when there are errors related to reading or writing the state. This should help debugging issues related to transient errors when talking to the Kubernetes API server to retrieve or update the state Secret.

• Kubernetes Operator can optionally create a Prometheus ServiceMonitor for proxy resources that have Tailscale client metrics enabled.

• Container Storage Interface (CSI) driver volume for the operator's OAuth client credentials can be configured by using Helm values.

• Kubernetes Ingress has clearer warnings if it has been deployed to a tailnet that has no HTTPS enabled. Specifically, a new warning in proxy logs and empty hostname on the Ingress status.

• tailscale.com/tailnet-ip annotation is validated that it holds a valid IP address.

• Timeout for Kubernetes API server calls for reading/updating tailscaled state stored in a Kubernetes Secret has been changed from 5 seconds to the total of 30 seconds for the read/update operation and an operation to emit an Event about the state update. This should reduce errors related to slow API server connections.

• The ProxyClass field .spec.metrics.enable enables metrics at both /metrics and /debug/metrics, but /debug/metrics is deprecated. Users relying on /debug/metrics need to set .spec.statefulSet.pod.tailscaleContainer.debug.enable (which is a new field in Tailscale 1.78.1) until Tailscale 1.82.0 releases. When 1.82.0 releases, /metrics and /debug/metrics will both independently default to false.

• Kubernetes operator proxy containers created for ingress and egress Service resources, Connectors and ProxyGroups are privileged. This is needed because of recent changes in containerd. For more context, see tailscale/tailscale/pull/14262.

• Tailscale running on Kubernetes reads its state from a Secret only once, and that is upon initial start. This should reduce bugs caused by transient issues when connecting to the Kubernetes API server as well as reduce the load on the API server and improve latency for state operations.

• Kubernetes Egress Service ports for ProxyGroup can be changed from a single unnamed port to one or more named ports.

• Clients should more accurately detect whether they are in a container when checking for updates.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• All Tailscale container images are annotated with Open Container Initiative (OCI) annotations.
• Clients should more accurately detect whether they are in a container when checking for updates.

All platforms

• Issue which resulted in an unwanted change in source code line endings.

All platforms

• Client metrics have been added, to provide insights into Tailscale client behavior, health, and performance.
• tailscale metrics command has been added, to expose and collect client metrics for use with third-party monitoring systems.
• tailscale syspolicy command has been added, to list system policies, reload system policies, or view errors related to the system policies configured on the device.
• Tailscale system policies are applied immediately when pushed via mobile device management (MDM) or Group Policy, without requiring a client restart.
• Tailscale SSH session recording detects the disappearance of the recorder node sooner. This fix addresses a security vulnerability described in TS-2024-013.

Windows

• UI customization system policies are configurable for both devices and users.

macOS

• UI to configure custom DNS servers to use for Tailscale-bound traffic when Tailscale DNS is disabled in settings.
• The macOS configuration report diagnostic tool can collect a larger amount of diagnostics when requested by Tailscale support. This includes system and process logs on the Standalone variant.
• Update Available notifications include a link to the client changelog.
• On macOS Sequoia, in System Settings.app > Login Items & Extension, Tailscale is listed as Tailscale Network Extension instead of IPNExtension, to reduce user confusion.
• Performance optimizations reduce CPU and memory usage when parsing network maps, especially for users on larger and busy tailnets.
• Performance optimizations at the UI layer reduce flickering of the menus, especially for users on larger and busy tailnets where the contents of the network map change very frequently.
• Error messages displayed when failing to toggle a setting are improved and easier to understand.

iOS

• UI to configure custom DNS servers to use for Tailscale-bound traffic when Tailscale DNS is disabled in settings.
• On iPhones and iPads running iOS 18, the VPN can be toggled from Control Center. Hold down in an empty space to add the Tailscale Control.

tvOS

• UI to configure custom DNS servers to use for Tailscale-bound traffic when Tailscale DNS is disabled in settings.

Android

• Authentication by using a generated code is available for Android TV users.
• Search bar shows suggestions.
• The default avatar displays if the user has no profile picture.
• False positive health warnings in the UI are reduced.
• Health warnings are no longer displayed in the UI after stopping Tailscale.
• Crashes when sharing a file using Taildrop from another Android app are reduced.
• UI padding of the main app toolbar is improved.

• ip:country has been added as a device posture attribute (beta).

• New scopes for OAuth clients have been added with more granular permissions. Existing OAuth clients using the previous set of scopes, and keys generated using these clients, are still valid.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

• Logging for when clients move home DERP regions is improved.
• Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

• Logging for when clients move home DERP regions is improved.
• Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

• Tailscale network flow logs and configuration audit logs can now be streamed to Amazon S3 and S3-compatible services (beta).

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• Logging for when clients move home DERP regions is improved.
• Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

Note: v1.76.4 and v1.76.5 were internal-only releases.

All platforms

• Logging for when clients move home DERP regions is improved.
• Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

Android

• Android app no longer terminates unexpectedly when performing network transitions.

• User approval GA (generally available)
• Invite any user GA

• 1Password Extended Access Management (XAM) GA (generally available)
  • Restrict device access with 1Password XAM (formerly known as Kolide) and Tailscale device posture management.

Note: v1.76.3 includes fixes for Windows devices only, and is exclusively released for Windows.

Windows

• Mullvad VPN submenu no longer fails to populate with Mullvad exit nodes if there aren't any non-Mullvad exit nodes in the tailnet.

Note: v1.76.2 includes fixes for Android TV devices only, and is exclusively released for Android.

Android

• D-Pad navigation is optimized in the Tailscale app on Android TV devices.

All platforms

• tailscale netcheck CLI command no longer crashes when performing diagnostics on networks lacking UDP connectivity.
• Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node.

Linux

• dbus login sessions no longer fail on systems where /bin/login is missing.

Android

• Android application no longer crashes in certain configurations when editing the app-based split tunneling settings.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Note: This version contains no changes except for library updates.

• User & group provisioning for Google Workspace GA (generally available)
  • Sync Google Workspace groups and users to use in your Tailscale ACLs.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

• Tailnet services can be exposed to cluster workloads on multiple proxy replicas using a ProxyGroup. It's also possible to expose multiple tailnet services on a single set of ProxyGroup replicas.
• Single use proxy auth keys no longer persist in the state Secrets after the proxies have logged in. This should fix an issue where, in some edge cases, the leftover keys were causing the proxies to attempt to re-authenticate after Pod restart.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• State directory can be set with the TS_STATE_DIR environment variable. The state directory also defaults to /tmp/ for all tsrecorder installations that explicitly set the statefile location.

All platforms

• Clients lacking UDP connectivity no longer skip performing fallback latency measurements with DERP servers.
• Warnings no longer display unnecessarily.
• Tailscale connectivity on flights using Inflight Internet Wi-Fi (such as Alaska Airlines) no longer fails.
• Service-related processes no longer run unnecessarily when services are disabled on the tailnet.
• Error messages include explanations in addition to the HTTP status code.

Linux

• Tailscale SSH supports sending environment variables to hosts. It's also possible to specify permitted environment variables using the acceptEnv field.
• Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when resizing the application window.

Windows

• Ping messages sent through subnet routers to unreachable hosts no longer generate ping responses.

macOS

• Tailscale SSH supports sending environment variables to hosts. You must specify permitted environment variables using the acceptEnv field.
• Tailscale .pkg installer for the standalone variant prevents potential conflicts by showing a warning if it detects a Homebrew install of Tailscale.
• Bug report view shows a warning if Tailscale detects that Cloudflare WARP is installed. Some Cloudflare WARP configurations conflict with Tailscale.
• DNS settings no longer improperly set when keys expire or Tailscale stops.

iOS

• Battery usage is improved when MagicDNS is enabled. The improvement comes from adjusting the timeout of DNS over HTTPS (DoH) for idle connections and requiring a TLS 1.3 handshake when establishing a connection with the DoH server.
• DNS settings no longer improperly set when keys expire or Tailscale stops.

tvOS

• DNS settings no longer improperly set when keys expire or Tailscale stops.

Android

• Account switcher displays the server hostname if the account uses a custom coordination server.
• Battery usage is improved when MagicDNS is enabled. The improvement comes from adjusting the timeout of DNS over HTTPS (DoH) for idle connections and requiring a TLS 1.3 handshake when establishing a connection with the DoH server.
• Quick tile toggle no longer fails to turn on Tailscale if Tailscale had been manually disconnected before it was last shut down.

• The Personal Plus pricing plan offers the same features as the Personal plan with up to 6 users for a flat rate. For details about billing, plan comparison, and support, see Pricing & Plans FAQ.

Tailscale v1.74.2 addresses an issue for iOS, and is exclusively released for that platform.

iOS

• The Tailscale app launches as expected when Wi-Fi Calling on This iPhone is enabled in the iOS Cellular settings.

• Tailnets containing multiple users can be deleted from the admin console without first deleting the users manually.

• The optional expiry and comment parameters have been added to the Set custom device posture attributes endpoint of the device posture attribute API.

Tailscale v1.74.1 addresses issues for Linux and Android, and is exclusively released for those platforms.

Linux

• Linux-only NAT traversal optimization added in v1.74.0 is now disabled following a bug report. The behavior is reverted to that of v1.72.x and earlier and will be re-added in a future release.

Android

Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.

• Device network change detection is improved to reflect accurate Tailscale DNS configuration updates.
• System policies for the Android client on ChromeOS work as expected.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Note: This version contains no changes except for library updates.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

• Recorder CRD (custom resource) is added for deploying the Tailscale tsrecorder to Kubernetes.
• Default ProxyClass can now be specified for the Kubernetes Operator proxies. If you are using Helm, the default ProxyClass can be configured in the proxyConfig.defaultProxyClass Helm value or set using PROXY_DEFAULT_CLASS environment variable.
• Wildcards in RBAC role definitions are replaced with exact verbs.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

v0.17.0 of the Tailscale Terraform Provider has been released with the following changes:

Resources

• Manage webhooks with tailscale_webhook.
• Manage contact preferences with tailscale_contacts.
• Manage device posture integrations with tailscale_posture_integration.
• Manage log streaming with tailscale_logstream_configuration.
• Manage Tailnet settings with tailscale_tailnet_settings.
• Changing the domain attribute for tailcale_dns_split_nameservers now properly removes the previous domain value.

Data Sources

• Fetch information for multiple users with tailcale_users.
• Fetch information for a specific user with tailscale_user.

All platforms

• AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution.
• tailscale dns CLI command is added for accessing Tailscale DNS settings and status.
• Go is updated to version 1.23.1.
• Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth.
• Log In option in the client works as expected.

Linux

• TCP generic receive offload (GRO) support is added for improved userspace mode throughput.
• TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1.

Windows

• The client no longer connects to a tailnet automatically when restarting or switching profiles.
• Profiles created as Local System with Unattended Mode enabled are retained after a reboot.

macOS

• The open-source variant of the Tailscale client can now read the system DNS configuration to provide DNS resolution when tailscale set -—accept-dns or tailscale up -—accept-dns is enabled and the Override local DNS option in the DNS page of the admin console is disabled.
• DNS resolution continues to work after a key expires.

tvOS

• The ping feature allows you to observe connectivity performance between your Apple TV and other devices in your tailnet.

Android

Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.

• Tailscale DNS works as expected when switching between Wi-Fi and cellular networks.
• System policies for the Android client on ChromeOS work as expected.

• Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses.

Tailscale v1.72.2 addresses issues for macOS, iOS, and tvOS, and is exclusively released for those platforms.

macOS

• An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.
• An issue that could prevent Tailscale from automatically launching at login on some Macs is fixed.

iOS

• An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.

tvOS

• An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.

• Admin console session timeouts from inactivity are now configurable from the User Management Settings page of the admin console.

Tailscale v1.72.1 addresses a Linux-specific issue, and is exclusively released for the Linux platform and containers.

Linux

• TCP generic segmentation offload (GSO) support for userspace mode is removed.
• DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

• DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

• DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

• An HTTP health check endpoint at /healthz can be enabled by setting TS_HEALTHCHECK_ADDR_PORT to [addr]:port.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

• Additional environment variables can now be passed for the Kubernetes Operator deployment via Helm chart options.
• DNSConfig CRD reconcile logic is fixed for dual-stack clusters.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• Running without HTTPS is now allowed when UI is disabled.

All platforms

• Captive portal detection is now supported.
• The tailscale cert command now contains the --min-validity flag. Use this flag to request a specified minimum remaining validity on the returned certificate. This flag is intended for automation, like cron jobs, that periodically refreshes certificates.
• The tailscale lock command now supports passing keys as files. To pass a key as a file, use the prefix file: followed by the path to the file: file:<path-to-key-file>.
• A health warning is now raised if Tailscale is unable to forward DNS queries to the configured resolvers.
• An increase in send and receive buffer sizes for userspace mode TCP improves throughput over high latency paths.

Linux

• The addition of TCP generic segmentation offload (GSO) support to userspace mode improves throughput.

macOS

Note: macOS 10.15 Catalina is no longer supported. See the v1.60.0 changelog for our initial end of life announcement.

• Notifications are sent when a captive portal is detected.
• Health warnings in the UI are now sorted by their severity level.
• Reliability of the authentication process when launching the web browser is improved.
• The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.

iOS

• Notifications are sent when a captive portal is detected.
• Health warnings are displayed when connectivity is impacted.
• An error message is displayed while attempting to start the VPN when both Wi-Fi and cellular interfaces are down, instead of failing silently.
• The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.

tvOS

• Notifications are sent when a captive portal is detected.
• The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.

Android

• Health warnings, if any are present, are displayed in the main view of the app.

• Access control policies using via are included in the Preview rules tab of the Access Controls page of the admin console.

• User & group provisioning for Microsoft Entra ID GA (generally available)
  • Sync Microsoft Entra ID groups and users to use in your Tailscale ACLs.

• SSH src in ACL rules supports all role-based autogroups.

• 1Password XAM is available as a device posture integration (beta)
• Jamf Pro is available as a device posture integration (beta)
• Kandji is available as a device posture integration (beta)
• Microsoft Intune is available as a device posture integration (beta)
• SentinelOne is available as a device posture integration (beta)

• Control D DNS is available as a global nameserver in your tailnet.

We have added the following endpoints to Tailscale's public API:

Device endpoints

• Set device name

Webhook management endpoints

• Get a webhook

Tailnet settings endpoints

• Get tailnet settings.
• Update tailnet settings.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

• Egress proxies specified by an FQDN now work also for IPv6-only network stacks.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

• Egress proxies specified by an FQDN now work also for IPv6-only network stacks.
• Tailscale Service status now includes a custom Tailscale proxy status condition.
• Optionally record kubectl exec sessions.
• Cluster resources for failed egress proxies are now correctly cleaned up when the parent Service is deleted.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• tsrecorder now plays session recordings for interactive sessions initiated by a command that explicitly specifies shell.

All platforms

• Restrict recommended and automatically selected exit nodes using the new AllowedSuggestedExitNodes system policy. Applies only to platforms that support system policies.
• Improved NAT traversal for some uncommon scenarios.
• Optimized sending firewall rules to clients more efficiently.
• Exit node suggestion CLI command now prints the hostname (which you can use with the tailscale set command).
• Taildrive share paths configured through the CLI resolve relative to where you run the tailscale command.

Linux

• Switching from unstable to stable tracks using the tailscale update command now works correctly.

Windows

• Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• The new AllowedSuggestedExitNodes system policy restricts which exit nodes Tailscale recommends or automatically selects.
• DNS leak issue.
• Switching from unstable to stable tracks using the tailscale update command now works correctly.
• Taildrive server no longer starts unnecessarily when no drives are configured.

macOS

Note: As previously announced, Tailscale v1.70 is the last version to support macOS 10.15 Catalina. macOS 10.15 is no longer supported by Apple and no longer receives security updates. Users still running macOS 10.15 should update to a newer version of macOS to continue receiving security updates and new features.

• Toggle Tailscale DNS from Siri or the Shortcuts app.
• Receive health notifications in the client menu on macOS to inform you about lack of internet connectivity, firewalls blocking Tailscale, misconfiguration issues, and other issues. Health issues that affect connectivity also change the Tailscale icon in the system menubar to show an exclamation mark.
• On MacBooks with a notch in the display, a notification window will now appear if the Tailscale icon is hidden behind the notch due to too many menubar items.
• The Tailscale client now warns you when the built-in macOS content filter (Screen Time) prevents Tailscale from connecting.
• Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• The exit node picker no longer presents exit node suggestions if the organization enforces always using the suggested exit node using the ExitNodeID system policy.
• Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
• Taildrive server no longer starts unnecessarily when no drives are configured.
• Increased the reliability of the Install Updates Automatically setting.

iOS

• Toggle Tailscale DNS from Siri or the Shortcuts app.
• Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• wireguard-go memory pool deadlock issue is resolved.
• Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
• User interface no longer flickers when selecting an exit node.

tvOS

• Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• wireguard-go memory pool deadlock issue is resolved.
• User interface no longer flickers when selecting an exit node.

Android

• Access ping information and connection status by long-pressing on a device in the devices list and selecting Ping.
• Use split tunneling to force or exclude app traffic through your tailnet.
• wireguard-go memory pool deadlock issue is resolved.

• Indent shut down their service effective July 15, 2024. If you were using Indent with your Tailscale network, migrate to another on-demand access system or Tailscale's just-in-time accessbot (alpha), or otherwise turn off your Indent integration with Tailscale.

• The process for creating a new tailnet now asks you if the tailnet will be primarily used At work or At home. This determines whether to enroll the tailnet into a 14-day trial or the Personal plan. For more details, see the Tailscale quickstart topic.
• Newly created tailnets using custom domains are no longer automatically enrolled in a trial. Instead, the At work or At home selection determines trial enrollment.

• Access an OpenAPI spec for the Tailscale API. The spec is used to generate our new interactive documentation. Note that the spec definition may change without notice, so should not be relied upon for stability.
• Access interactive documentation for the Tailscale API.

New API endpoints

We have added the following endpoints to Tailscale's public API:

Logging endpoints

• Get log streaming status.
• Get log streaming configuration.
• Set log streaming configuration.
• Disable log streaming.
• Created a new endpoint for listing configuration audit logs. An earlier version of this endpoint is still supported for backwards compatibility.
• Created a new endpoint for listing network flow logs. An earlier version of this endpoint is still supported for backwards compatibility.

Webhook management endpoints

• List all webhooks for a tailnet.
• Create a new webhook.
• Update a webhook.
• Delete a webhook.
• Test a webhook.
• Rotate a webhook secret.

Device posture endpoints

• List all posture integrations.
• Create a posture integration.
• Update a posture integration.
• Delete a posture integration.

User management endpoints

• List all users in the tailnet.
• Get details about a specific user.
• Update the role for a specific user.
• Approve a pending user's access to the tailnet. This is only applicable to tailnets that have enabled user approval.
• Suspend a user. Available for the Personal and Enterprise plans.
• Restore a suspended user. Available for the Personal and Enterprise plans.
• Delete a user. Available for the Personal and Enterprise plans.

User invite endpoints

• List all open (not yet accepted) user invites to the tailnet.
• Create user invite links and send user invite emails.
• Get details for a specific user invite.
• Delete an open (not yet accepted) user invite.
• Resend an open (not yet accepted) user invite that was originally sent via email.

Device invite endpoints

• List all open (not yet accepted) device invites.
• Create device invite links and send device invite emails.
• Get details for a specific device invite.
• Delete an open (not yet accepted) device invite.
• Resend an open (not yet accepted) device invite.
• Accept a device invite to your tailnet.

Contact preferences endpoints

• List the tailnet's current contact preferences.
• Update a tailnet contact.
• Resend the verification email for a tailnet contact.

• Invite team member invites are now automatically deleted 90 days after the last welcome email was sent.

• IP sets GA (generally available)
  • Use IP sets to target and manage cross-sections of your tailnet independently of other groupings like subnets, tags, and groups.

• Use Via to add routing awareness to grants (beta).
  • Define the exit nodes, subnet routers, or app connectors a source can access when they use a specific destination.

All Platforms

• Tailnet Lock validation of rotation signatures now permits multiple nodes signed by the same pre-signed reusable auth key.

macOS

• Wake from sleep reliability is improved for re-connections and transitions between networks.

iOS

• Wake from sleep reliability is improved for re-connections and transitions between networks.

• User & group provisioning for Google Workspace (beta)

• Indent has announced they are shutting down 12:00 PM PST July 15, 2024. If you are using Indent with your Tailscale network, migrate to another on-demand access system or Tailscale's just-in-time accessbot (alpha), or otherwise turn off your Indent integration by that time.

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

• UDP GRO forwarding can be turned on for containers configured as Tailscale subnet routers or exit nodes, using the new environment variable TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS. To learn more, see Performance best practices.
• Containers that run on Kubernetes and store the tailscaled state in a Kubernetes Secret can now be enforced to read the Kubernetes API server address and port from the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT_HTTPS. By default, the values are read from the Kubernetes Service in the default namespace. To enforce the environment variables, set TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV to true.

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

• Tailscale Kubernetes operator proxies can now be configured to accept routes advertised by tailnet peers using the new proxyClass.spec.tailscale.acceptRoutes field. To learn more, see our ProxyClass documentation.
• Images and image pull policies can be configured for individual Tailscale Kubernetes operator proxies using ProxyClass.
• Connector Custom Resources status now includes the proxy's tailnet IP addresses and MagicDNS name.
• Helm values file now allows configuring image repositories using a repository key, which is a standard and expected by some tools.

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• --state flag or the TS_STATE environment variable can be used to specify a Kubernetes Secret as tailscaled state store when deploying the tsrecorder container.
• --dst flag for destination can be set as the environment variable TSRECORDER_DST when deploying the tsrecorder container.
• --bucket flag for the S3 bucket name can be set as the environment variable TSRECORDER_BUCKET when deploying the tsrecorder container.
• --hostname flag for the hostname can be set as the environment variable TSRECORDER_HOSTNAME when deploying the tsrecorder container.
• --ui flag for the user interface can be set as the environment variable TSRECORDER_UI when deploying the tsrecorder container.
• AWS ambient credentials can be used to access the S3 backend.

All Platforms

• 4via6 subnet router advertisement works as expected.

Linux

• Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected.

Android

• Android TV navigation is improved.

All Platforms

• Auto-updates are available for containers. The tailnet-wide default is ignored in containers.
• When enabled, auto-updates get applied even if the node is down or disconnected from the coordination server.
• tailscale lock status now prints the node's signature.
• Go is updated to version 1.22.4.

Windows

• .exe installer no longer downloads MSI packages for Windows 7 and Windows 8, automatically. See the v1.42.0 changelog for our initial end of life announcement.

macOS

• Standalone variant of the client can now install a launcher for the Tailscale CLI in /usr/local/bin by going to Settings, CLI integration, then Show me how.
• Standalone variant of the client now supports notifications when a file is received using Taildrop.
• Pop-up notification displays when a network might be vulnerable to a potential TunnelVision attack. For more information, see TunnelVision vulnerability and Tailscale.
• Client starts up more reliably if another VPN app is running when Tailscale is enabled.
• .pkg installer terminates pre-existing copies of Tailscale and the VPN extension before proceeding with installation if Tailscale was already installed.
• TunnelBear installation is properly detected, and warns the user about incompatibility.
• Using Exit Node label no longer appears incorrectly in the app menu before completing onboarding, upon the first time app launch.
• Fixed a bug with split DNS domains being used as search domains after a network change.

iOS

• Battery life is optimized by offloading DNS resolution to iOS in more cases.
• Client now starts more reliably if another VPN app is running when Tailscale is enabled.
• Bug report view no longer copies the bug report ID to the clipboard automatically.
• Reauthenticate button for in-app key expiry notifications works as expected.
• Dark mode contains minor changes to UI colors.
• Fixed a bug with split DNS domains being used as search domains after a network change.

tvOS

• Client now starts more reliably if another VPN app is running when Tailscale is enabled.
• Reauthenticate button for in-app key expiry notifications works as expected.

Android

• On-off toggle state better matches the actual client state.
• Status notifications when Tailscale is disconnected are now background notifications, and tapping on notifications launches the Tailscale app.
• Client starts automatically after the first login.
• System policy (MDM) support is added for mandatory exit nodes.
• Organization name is now rendered properly when set in the ManagedByOrganizationName system policy.
• Crashing no longer occurs when launching Tailscale and another VPN application was already running.
• Running an exit node no longer lets you use another device as an exit node and vice versa.
• Home screen shows the selected exit node country and city when using Mullvad exit nodes.

Note: The Tailscale client releases for containers such as the Kubernetes operator, Docker image, and tsrecorder are typically released a few days after the initial client release. A separate changelog will be published when client updates for containers are available.

• You can now automatically select a recommended exit node based on client information (such as location).

• Exit node destination logging can now be configured from the Network flow logs tab in the Logs page of the admin console.

All platforms

• Restored UDP connectivity through Mullvad exit nodes.

Linux

• Stateful filtering is now off by default. Stateful filtering was introduced in 1.66.0 as a mitigation for a vulnerability described in TS-2024-005, and inadvertently broke DNS resolution from containers running on the host. Most vulnerable setups are protected by other mitigations already, except when autogroup:danger-all is used in ACLs.

Note: Tailscale v1.66.2 was an internal-only release.

All platforms

• Login URLs did not always appear in the console when running tailscale up.

Android

• Reintroduced the Quick Settings title that v1.66.0 temporarily removed.
• Improved the VPN service connection logic, especially when rebooting the device with Always-On VPN enabled.
• The persistent VPN status notification now informs the user with a muted icon when the VPN is disconnected. VPN status notifications can be disabled in the system notification settings.
• The "Enable" button in the exit node selector banner now renders with the correct background color.

Kubernetes operator

• Starting with v1.66, the Kubernetes operator must always run the same or later version as the proxies it manages.
• Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names.
• Expose tailnet services that use Tailscale HTTPS to cluster workloads. Refer to #11019.
• Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names. Refer to #11019.
• Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD. Refer to ProxyClass API.
• Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD. Note that the tailscaled metrics are unstable and will likely change in the future. Refer to ProxyClass API.
• Configure labels for the Kubernetes operator Pods with Helm chart values. Refer to Helm chart values.
• Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass. Refer to ProxyClass API.
• Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #11867.

Containers

• Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is pre-created for the tailscaled state. Refer to #11326.
• Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right permissions to perform actions against the tailscaled state Secret. Refer to #11326.

• Use the Light, Dark, or Use system setting theme in the admin console by clicking the avatar menu on the top-right and selecting Appearance. The default theme is Use system setting.

• The Tailscale app for Android is now available in the Amazon Appstore for Amazon Fire TVs and tablets.

This release is exclusively for Linux platforms and the standalone variant of the macOS client. It is not available for other platforms.

Linux

• tailscale set command flags --netfilter-mode, --snat-subnet-routes, and --stateful-filtering are added.
• Issue with nftables rules for stateful filtering, introduced in v1.66.0.

macOS

• A version mismatch warning no longer displays when upgrading, if no mismatch is detected.

• As part of a security fix to address an issue related to exit nodes and subnet routing (TS-2024-005), changes are made to ACLs.
  • The meaning of * when used in the src field in ACLs has been changed. Previously, * expanded to include any IPv4 and IPv6 address. With this change, * expands to all Tailscale IP addresses and all IP addresses from approved subnet routes.
  • The new autogroup:danger-all ACL type has been added, which matches the previous definition of * when used in the src field. If you are using default ACLs or have specified * in src, you don't need to make any ACL changes to get the new secure behavior.
  • We recommend updating all Tailscale clients to v1.66 to benefit from the additional security improvements.

We recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements.

All platforms

• Implemented client-side quarantining for shared-in exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.

Linux

• Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for subnet routers and exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.

Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false command.

• Use tab completion to type the first few letters of a Tailscale CLI command, flag, or arguments, followed by the tab key to complete the item being typed. Set up tab completion by using the tailscale completion command.
• Use the tailscale exit-node suggest command to automatically pick an available exit node that is likely to perform best.
• Site-to-site networking now also requires --stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false.

macOS

• View a suggested exit node in the Exit Node picker when available.
• Generate a macOS Configuration Report .txt file from the Bug Report view to help the Tailscale support team diagnose issues.
• Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.

iOS

• See direct vs. relayed connections in the Ping view.
• View a suggested exit node in the Exit Node picker when available.
• Use auth keys to log in without using the browser.
• Search tagged devices by tag in the Devices list.
• Remove accounts in the Fast User Switching view by using a long press, without having to log out.
• Improved UI experience to log into a custom coordination server like Headscale.
• The Fast User Switching view can now be used when Tailscale is disconnected.
• Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
• Reduced app launch time.

tvOS

• Manage DNS configuration in the DNS Settings view.
• Generate a bug report identifier by navigating to About Tailscale > Report an issue.
• Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.

Android

We've rebuilt the Android app from the ground up, adopting a similar design that we've previously rolled out on iOS and using the latest Android best practices.

• Use new status indicators to see at-a-glance insights into node connectivity. Tap on a node to see detailed information.
• See detailed information about resolvers, domains, and routing configurations in a dedicated DNS Settings view.
• See the status of Tailnet Lock and node keys.
• Use Fast user switching to switch between two or more logged-in accounts on the same device, without requiring you to re-authenticate.
• Use auth keys to log in without using the browser.
• Manage Android devices in your tailnet using Mobile Device Management (MDM) solutions such as Google Workspace, Microsoft Intune, or TinyMDM, among other tools.
• Accessibility support.
• Use dark mode as an alternative to light mode.
• The Quick Settings tile has been temporarily disabled, pending resolution of an issue.
• More intuitive behavior switching between exit nodes.
• Issue with LAN access during exit node use.

• Device posture management GA (generally available)
  • Use Device posture management to collect device properties and set device connectivity rules within your Tailscale network. Leverage Tailscale's integration with CrowdStrike to use Falcon Zero Trust Assessment (ZTA) scores to enable granular access control based on device health and security.

• The API can now read, update, and set split DNS.
• The Tailscale Terraform provider can now manage split DNS.

• Log streaming integration with Axiom GA (generally available).
  • Use Axiom for log streaming.

• Windows machines in the admin console are now displayed using their marketing version number instead of their internal version number.

• Allowable identity providers are no longer limited by pricing plan. Any supported identity provider is available to all plans.

Windows

• Installers are now built using WiX toolchain version 3.14.1.

Synology

• DiskStation Manager UI no longer freezes for a few minutes at startup when attempting to clean unused routes. This update is applicable to the version provided on pkgs.tailscale.com.

• The Tailscale changelog has migrated to a new server. To prevent disruptions to RSS readers that subscribe to our changelog, we have limited the RSS feed to entries published on or after 2024-04-15. Existing RSS subscriptions should not lose access to older entries that have already been downloaded. The full changelog history is always available on our website

• Share devices by sending emails directly from the admin console. The email will contain the invitation and instructions on how to accept the device share.

All platforms

• tailscale serve headers are now RFC 2047 Q-encoded.
• Device web interface enabled by default locally on 100.100.100.100.
• Go is updated to version 1.22.2.

macOS

• Use Tailscale for macOS as a Tailscale SSH client (Standalone variant only).
• Receive alerts when an error occurs while changing client preferences.
• Added a new Internet Access Policy for Little Snitch users.
• The .pkg installer no longer requires a system restart after installing the client (Standalone variant only).
• Unexpected terminations for some macOS 10.15 Catalina users.
• Reduced number of alerts if the network extension terminates unexpectedly.

iOS

• Improved reliability of the ping chart presentation.

Synology

• Update certificates using the cert CLI command.
• IPv6 addresses are available again.

Kubernetes operator

• tailscale configure kubeconfig now respects KUBECONFIG environment variable.
• tailscale configure kubeconfig now works with partially empty kubeconfig.
• MSS clamping for Kubernetes operator proxies using nftables.

Containers

• Containers on hosts with partial support for ip6tables no longer crash.

• Salesforce is available as a preset app.

• External user invites that are unused for 30 days will expire. This includes external invites sent by email and link.

• Invite external users by sending emails directly from the admin console. The email will contain the invitation and instructions on how to join the tailnet.

• ACL Preview now shows posture conditions

Linux

• Send load balancing hint HTTP request header

Windows

• Do not allow msiexec to reboot the operating system

macOS

• Issue that could cause the Tailscale system extension to not be installed upon app launch, when deploying Tailscale using MDM and using a configuration profile to pre-approve the VPN tunnel (applies to standalone variant only)

Synology

• IPv6 routing

Kubernetes operator

• Kubernetes operator proxies should not accept subnet routes

• Call device posture attribute API endpoints using the OAuth access token scope ID devices and personal access tokens belonging to users with the IT admin user role

• Tailscale SSH GA (generally available)
  • Use Tailscale SSH to manage the authentication and authorization of SSH connections in your tailnet

• Download invoices for your Tailscale account in the Billing page of the admin console (beta)

All platforms

• Web interface now uses ACL grants to manage access on tagged devices
• Tailscale SSH connections now disable unnecessary hostname canonicalization
• tailscale bugreport command for generating diagnostic logs now contain ethtool information
• Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers
• DNS over HTTP requests now contain a timeout
• TCP forwarding attempts in userspace mode now have a per-client limit
• Endpoints with link-local IPv6 addresses is preferred over private addresses
• WireGuard logs are less verbose
• Go is updated to version 1.22.1
• DERP server region no longer changes if connectivity to the new DERP region is degraded

Linux

• Auto-update version detection on Alpine Linux is improved
• IPv6 support detection in a container environment is improved
• DNS configuration on Amazon Linux 2023 no longer causes an infinite loop

Windows

• ManagedByOrganizationName, ManagedByCaption, and ManagedByURL system policy keys are now supported
• Tailscale Tunnel WinTun adapter handling is improved
• MSI upgrades no longer ignore policy properties set during initial install

macOS

• A .pkg installer package is now available for the standalone release of the Tailscale client
• Taildrop notifications now include actions to reveal the received file in the Finder, or delete it
• Tailnet Lock settings UI displays more information about the status, including key and public key trust status
• The onboarding flow now guides the user in enabling the Tailscale system extension
• Launch Tailscale at login settings item can now be toggled when the Tailscale client is disconnected
• DNS behavior is improved when handling transitions between network interfaces

iOS

• Battery usage is improved
• Taildrop notifications now include actions to reveal the received file in the Files app, or delete it
• Tailnet Lock settings UI displays more information about the status, including key and public key trust status
• Unnecessary log messages are removed when triggered by changes to device power state and routing
• DNS behavior is improved when handling interface transitions between Wi-Fi and Cellular

Android

• Settings persist from previous sign-ins
• Always-on VPN handling is improved
• Custom control server is applied on first start

Kubernetes operator

• Ingress resource handling is improved when deployed before its backing Service resource
• Destination NAT (DNAT) rule management by egress proxies in nftables mode when IP address of tailscale.com/tailnet-fqdn changes

• Secret scanning integration with GitLab
  • Use secret scanning to help mitigate accidental disclosure and prevent fraudulent use of Tailscale-generated keys

• sshTests ACL top-policy section lets you write assertions about your SSH access rules and functions similarly to ACL tests, but for Tailscale SSH
• user:*@<domain> ACL autogroup allows access for any user whose login is in the specified domain and is a direct member of the tailnet
• localpart:*@<domain> ACL autogroup allows Tailscale SSH access to a user on the host whose name matches the local-part of the user's Tailscale login

All platforms

• Exposing port 8080 to other devices in your tailnet works as expected

• Users page of the admin console updated to provide more context around user invitations, user approval, and your tailnet's identity provider

• Users can only see exit nodes they have permission to use, based on the ACL settings for a tailnet. This includes visibility in the Tailscale client and the output for Tailscale CLI commands such as tailscale status and tailscale exit-node list.

• Preset Apps GA (generally available)
  • Use Preset Apps to configure common applications with only a few clicks or an ACL configuration. Routes and domains for Preset Apps are automatically updated and managed by Tailscale, based on each app’s source of truth. Routes for preset apps are automatically approved and pushed down to all selected App connectors.
• Confluence, GitHub, Google Workspace, Jira, Okta, and Stripe are now available as preset apps

• The Free pricing plan is now called the Personal plan. All other aspects of the plan remain the same.
• Customers who sign up with a custom domain will be auto-enrolled into a 14-day trial of the Enterprise plan with no provisioned user limits
• Personal plan customers who use a custom or vanity domain for their tailnet can opt out of the trial and continue to use the Personal plan
• Customers who use Tailscale for commercial purposes will be billed for all of their active users once they sign up for a plan

Note: Free trials are available for business customers. For details about billing, plan comparison, and support, see Pricing & Plans FAQ. For instructions on how to change your plan, see Modify billing.

All platforms

• tailscale status command output now includes location-based exit nodes
• tailscale web command flag --read-only is added to run the web UI in read-only mode
• A warning is logged when unable to find SSH host keys
• Support added for legacy "urn:dslforum-org" port mapping services
• Build with Go 1.22
• Detect when Tailscale is running on Digital Ocean and automatically use Digital Ocean's DNS resolvers
• Expose gVisor metrics in debug mode
• Improve error message when running as non-root
• A valid login page is presented to users when attempting to log in even after leaving device unattended for several days
• An issue with noisy peer mtu discovery errors
• A potential crash when no supported port mapping services are found

Windows

• Fixed:tailscaled could be slow or cause increased CPU usage with large routing tables

macOS

Note: Tailscale v1.60.0 is built with Go 1.22 and Go 1.22 is the last release that will run on macOS 10.15 Catalina (source). We are providing notice that around August 15, 2024, Tailscale will be built with Go 1.23 at which time macOS users that want to run the latest version of Tailscale will require macOS 11 Big Sur or later. Note that macOS 10.15 Catalina is no longer supported by Apple and is no longer receiving security updates.

• New UI to add, remove, and switch between user accounts, including using custom control servers
• New UI to change client preferences
• New UI to manage updates for the Standalone variant of the client, including switching in-app between stable and unstable builds
• VPN On Demand is now supported on macOS, to automatically connect/disconnect Tailscale when specific conditions are triggered
• Reset VPN Configuration menu item in the Debug menu is now available to reset the system VPN configuration if needed
• An alert window is presented when the Tailscale network extension fails to start, providing suggested troubleshooting steps
• Tailscale appears in the macOS Dock when an app window is presented
• The Network Devices list now shows all devices known to the control server, not only those seen in the last 4 days
• The onboarding flow automatically advances once the user is connected
• A potential crash and excessive logging upon client launch
• Start on Login is set correctly on macOS Ventura and earlier versions

iOS

• A potential crash and excessive logging upon client launch
• Stale devices are no longer presented in the devices list

tvOS

• A potential crash and excessive logging upon client launch
• Stale devices are no longer presented in the devices list

Android

• Mullvad exit nodes now sorted to make it easier to find the best node for each location
• Mullvad tunnels are no longer shown as regular nodes in UI
• Quick settings tile now works

Synology

• An issue with stalling of SMB transfers of large files

Kubernetes operator

• A new ProxyClass custom resource that allows you to provide a custom configuration for cluster resources that the operator creates
• ACL tags for the operator can now be configured via Helm chart values
• Routing to Ingress backends that require an exact path without a slash (/) suffix

App connectors

• App connectors now flatten DNS CNAME chains down to a target A/AAAA routing record, for apps that are configured with a DNS record that is a CNAME
• Apps can be preconfigured with known routes to have those routes auto-advertised by all selected app connectors, and immediately begin to route traffic

• Auto-updates GA (generally available)
• Enable Tailscale client auto-updates in the Device management section of the admin console
• Initiate Tailscale client updates to devices from the Machines page of the admin console. For details, see Auto-updates.

• New Apps and app connectors can no longer be selected via the * wildcard in a tailnet policy file or configuration flow. Instead, tag all app connectors and then use the tags as a selector. Existing * configurations will need to update to a tag-based selector upon the next tailnet policy file change. For details, see Wildcard connectors no longer supported.

• System policies GA (generally available)
  • Use system policies (also known as MDM policies) to control Tailscale client settings for your users, such as UI visibility, organization customization, auto-update functionality, and runtime configurations

• Secret scanning integration with GitGuardian
  • Use secret scanning to help mitigate accidental disclosure and prevent fraudulent use of Tailscale-generated keys

• Device Posture is now supported in ACL Tests

Note: The 1.58.1 release needed to be re-done. Use 1.58.2 instead.

All platforms

• App connectors have improved scheduling and merging of route changes under some conditions
• Crash when performing UPnP portmapping on older routers with no supported portmapping services

macOS

• Opening the About window no longer displays a user interface when there is no newer version

Note: Rollout of 1.58.0 paused on 21-Jan-2024 while we investigate reports of a regression with portmapping.

All platforms

• The number of 4via6 site IDs are increased from 256 to 65,536
• Taildrop allows category Z unicode characters
• DERP flapping (flipping back and forth between two regions rapidly) is reduced when there's still an active connection for the home DERP server
• Portmap checks the epoch from NAT-PMP & PCP, and establishes a new portmapping if it changes
• Portmap better handles multiple interfaces
• Portmap handles multiple UPnP discovery responses
• Increased binary size with Tailscale 1.56 is resolved
• Web interface issue related to accessing shared devices
• Web interface login issue when accessed over HTTPS

Linux

• Shell shebang is added in postinstall script, which fixes some Debian installations

macOS

• DNS Settings view is added and displays the DNS configuration used when Tailscale is running
• Quit the app without terminating the VPN tunnel by holding down the Option button and selecting Quit (Leave VPN Active)
• Toggle Tailscale shortcut action can be used to connect or disconnect the VPN tunnel, depending on its current state
• The KeyExpirationNotice system policy is now supported to customize the time interval before a key expiration notice is displayed to the user
• The web interface is now supported in the standalone variant of the client
• Onboarding flow includes a step to ask the user to approve key expiry notifications
• Onboarding flow asks the user to approve the system extension if necessary, when using the standalone variant of the client
• Pre-Sonoma compatibility is improved
• VPN tunnel terminates upon closing the app
• Opening the About window triggers a check for updates
• The standalone variant of the client checks for updates every 72 hours

iOS

• Toggle Tailscale shortcut action can be used to connect or disconnect the VPN tunnel, depending on its current state. Ideal for the Action Button on iPhone 15 Pro.
• The KeyExpirationNotice system policy is now supported to customize the time interval before a key expiration notice is displayed to the user
• Sign button in the Tailnet Lock device sign view is rendered correctly
• Connectivity is no longer lost when transitioning from Wi-Fi to Cellular while an exit node is in use

Windows

• The web interface is now supported
• The lookup for netsh.exe uses the absolute path instead of the relative path
• ADMX system policy descriptions are now available
• Vestigial wintun support is removed, which might have caused Chocolatey installs to break
• A goroutine leak in winMon no longer occurs if the monitor is never started
• "This package requires Windows 10 or newer" message no longer falsely displays during an uninstall or repair

Android

• Active network change detection is improved

tvOS

• Improvements to persistence of the client when running in the background

Kubernetes Operator

• A Connector custom resource is added, allowing users to configure the operator to deploy an exit node, subnet router, or both
• A warning displays if the unsupported ingress Exact path type is used
• StatefulSet labels are synced to their Pods
• A Tailscale IngressClass resource is added
• Extra long Service names are properly truncated

Containers

• Experimental support is added for configuring tailscaled using a mounted config file
• Tailscale images now contain layers of the same media type and can be parsed by Podman and Buildah

• Zoho is now supported as a custom OIDC provider

• Available update icons on the Machines page of the admin console now differentiate between regular and security updates
• The Version filter on the Machines page can now show nodes with pending security updates

Windows

• Added a security fix to address privilege escalation with tailscale serve and tailscale funnel that allowed low-privilege users to serve files they did not have access to (TS-2024-001). This release is intended for Windows 7 and 8 users. Those with later versions of Windows should run the latest stable version of Tailscale, which is 1.56.1. This issue was resolved in Tailscale 1.52.

• Invite any user to your tailnet when using a GitHub organization or GitHub personal account as the identity provider

• View the TLS certificate status of a machine in your tailnet by using the Machines page of the admin console

• HTTPS certificates GA (generally available)
  • Use HTTPS certificates to provision TLS certificates for devices in your tailnet

Linux

• Web interface redirects to the correct self-IP known by the source peer
• App connector domain list displays as expected

macOS

• Custom login server uses the provided URL instead of the Tailscale default login URL

iOS

• Custom login server uses the provided URL instead of the Tailscale default login URL

tvOS

• Custom login server uses the provided URL instead of the Tailscale default login URL

• Use ACL Grants in your tailnet policy file to provide capabilities at either the IP layer or the application layer (beta)

• Use Device posture management to collect device properties and set device connectivity rules within your Tailscale network (beta)
• "Enable posture identity collection" and "Disable posture identity collection" are logged as configuration audit logging events when device posture identifiers are enabled or disabled, respectively
• "Create posture integration" is logged when a new device posture integration is added
• "Update posture integration" is logged when a device posture integration is updated
• "Remove posture integration" is logged when a device posture integration is removed

All platforms

• tailscale whois command shows the machine and user associated with a Tailscale IP address
• System policies are now in beta
• tailscale switch --list command shows name and profile ID to disambiguate profiles with common login names
• Responsiveness is improved under load, especially with bidirectional traffic
• UPnP port mapping is improved

Linux

• The web interface allows users to configure some device settings such as exit nodes, subnet routers, and Tailscale SSH using a browser-based GUI instead of the Tailscale CLI
• tailscale update command is supported for Unraid
• containerboot symlinks its socket file if possible, making the Tailscale CLI work without --socket=/tmp/tailscale.sock

Windows

• Throughput is improved for userspace ("netstack") mode in the presence of packet loss
• Profile switcher displays the tailnet name
• Dynamic DNS updates are disabled in the client interface via the registry setting
• Client improvements when restarting after an upgrade

macOS

• Taildrop notification displays when a file is received (App Store variant only)
• Taildrop shortcut action is added for file sharing
• Profile switcher displays the tailnet name
• About Tailscale dialog indicates when the app is running a TestFlight build
• In-app warnings and push notifications display when internet connectivity is blocked because the current exit node is offline or its key has expired
• VPN tunnel fully terminates when Tailscale is stopped, using the menu bar toggle
• /etc/resolv file formatting with Tailscaled-on-macOS is improved

iOS

• DNS Settings view is added
• Taildrop shortcut action is added for file sharing
• Taildrop notifications include the received file names
• Profile switcher displays the tailnet name
• About Tailscale dialog indicates when the app is running a TestFlight build
• Allow Local Network Access option is added to the exit node picker UI
• In-app warning and push notification displays when internet connectivity is blocked because the current exit node is offline or its key has expired
• App size is reduced by about 2 MB with better asset compression

tvOS

• Apple TV can be configured as a subnet router, allowing you to remotely access resources on your home network that may not have Tailscale installed, such as a printer
• About Tailscale dialog indicates when the app is running a TestFlight build

Kubernetes

• Helm charts for the Tailscale Kubernetes Operator are now available on pkgs.tailscale.com/helmcharts
• Kubernetes API server proxy supports impersonating groups via ACL Grants
• Kubernetes operator cluster egress now supports referring to a tailnet service by its MagicDNS name in the Service annotation

GoKrazy

• TUN mode is used by default

• Use App connectors to connect software as a service (SaaS) applications to your Tailscale network (beta)

• Use Regional routing to route your traffic across distributed high availability infrastructure based on region (generally available)

• proto field is now supported in ACL tests

macOS

• Changing a pre-existing system policy value to nil no longer causes stability issues

iOS

• Changing a pre-existing system policy value to nil no longer causes stability issues
• Widget tracks the connection state more closely

tvOS

• Changing a pre-existing system policy value to nil no longer causes stability issues

• Use IP pool to enable configuring a specific CGNAT IP range subset in your tailnet policy file (alpha)

• Each individual tailnet can now use the full CGNAT address range of 100.64.0.0/10

• Tailscale IPv6 local addresses are assigned from the unique local address prefix of fd7a:115c:a1e0::/48. Previously IPv6 addresses were assigned from fd7a:115c:a1e0:ab12::/64.

• Log streaming integration with Datadog GA (generally available)
  • Use Datadog for Log streaming

• Require check mode on every Tailscale SSH connection by specifying "checkPeriod": "always" in your tailnet policy file from the Access controls page of the admin console

All platforms

• Go is updated to version 1.21.4

Linux

• Substantially improve throughput for UDP packets over TUN device with recent Linux kernels
• Added a security fix to address privilege escalation with tailscale serve and tailscale funnel that allowed low-privilege users to serve files they did not have access to if the machine administrator had previously granted that user tailscale up --operator privilege (TS-2024-001)

Windows

• Open menu with a regular click in addition to a right-click

macOS

• Implement MDM settings for the standalone macOS application
• Support for the tailscale update command for the standalone macOS application
• Don't run Taildrop cleanup loop until the first file transfer, and avoid spurious security dialog

iOS

• Show a helpful banner if there are no other devices on the tailnet
• Add Allow Local Network Access setting when using an exit node
• Show info bubble when key expires within 8 hours, or has expired
• Widgets now reflect the state of the VPN tunnel more accurately

QNAP

• Support for the tailscale update command

• Scanning for exposed Tailscale secrets
  • Scanning for exposed Tailscale secrets helps mitigate accidental disclosure and prevent fraudulent use of Tailscale-generated keys
• Secret scanning integration with TruffleHog
  • TruffleHog scans for exposed Tailscale keys

• Revert your tailnet policy file from the Configuration logs page of the admin console

• Log streaming private endpoints GA
  • Use private endpoints in your tailnet for Log streaming (generally available)
• Configuration audit log streaming is now available to the Free plan
• Log streaming integration with Cribl GA
  • Use Cribl for Log streaming (generally available)

Windows

• Resolve an incompatibility with other software that uses wintun

NAS platforms

• Clean up downloaded upgrades after applying them

• Delete non-provisioned users on a tailnet with user & group provisioning enabled

• Use auto-updates (beta) to keep your Tailscale client on the latest version

• Tailscale Kubernetes operator is now in beta
  • Use the Kubernetes operator to expose services in your Kubernetes cluster to your tailnet, connect to your tailnet from a Kubernetes cluster, and securely connect to the Kubernetes control plane
• Use a Helm chart to deploy the Kubernetes operator

• Tailscale extension for Visual Studio Code GA (generally available)
  • Use the Tailscale extension for Visual Studio Code to interact with resources in your tailnet from within the VS Code IDE

All platforms

• tailscale cert command renews in the background. The current certificate only displays if it has expired.
• tailscale status command displays a message about client updates when newer versions are available
• tailscale up command displays a message about client updates when newer versions are available
• Taildrop now resumes file transfers after partial transfers are interrupted
• Taildrop prevents file duplication
• Taildrop detects conflicting file transfers and only proceeds with one transfer
• Wake on LAN (WoL) is now supported for peer node wake-ups
• TCP DNS queries are speculatively started if UDP hasn't responded quickly enough
• Truncated UDP DNS results are properly retried using TCP
• Go is updated to version 1.21.3

Linux

• tailscale set command flag --auto-update is added to opt in to automatic client updates (beta)
• tailscale serve and tailscale funnel commands are updated for improved usability
• tailscale update command for manual updates is now in beta
• Taildrop file transfer displays a progress meter
• nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used
• DNS detection of NetworkManager with configured but absent systemd-resolved, such as EndeavourOS
• DNS detection for Debian resolvconf version 1.90 or later

Windows

• tailscale set command flag --auto-update is added to opt in to automatic client updates (beta)
• Preferences section contains auto-update setting
• Update notice displays, when a new version is available
• System policies allow system administrators to set a forced/suggested tailnet name, hide settings menu items, and more
• tailscale serve and tailscale funnel commands are updated for improved usability
• tailscale update command for manual updates is now in beta
• iphlpsvc, netprofm, and WinHttpAutoProxySvc service dependencies are checked during installation
• Added a security fix to address privilege escalation with tailscale serve and tailscale funnel that allowed low-privilege users to serve files they did not have access to (TS-2024-001)

macOS

• tailscale set command flag --auto-update is added to opt in to automatic client updates (beta)
• App menu displays a notification item when a newer version is available
• System policies allow system administrators to set a forced/suggested tailnet name, prevent the VPN from stopping, hide categories of network devices and setting menu items, and more
• Settings section has an option added for turning on auto-updates
• Reauthenticate menu item shows time until expiry more prominently, presenting alerts when necessary
• tailscale serve and tailscale funnel commands are updated for improved usability
• tailscale update command for manual updates is now in beta
• About window more clearly distinguishes between the Standalone and App Store variants of the client
• Sparkle is updated to version 2.5.1

iOS

• Settings page displays a notification banner when a newer version is available on the App Store
• Home and lock screen widgets are supported
• System policies allow system administrators to set a forced/suggested tailnet name, prevent the VPN from stopping, hide the VPN On Demand settings, categories of network devices and settings menu items, and more

tvOS

• DNS support when operating as an exit node

• OAuth clients GA (generally available)
  • Use OAuth clients to provide delegated fine-grained access to the Tailscale API
• Search domains GA (generally available)
  • Use Search domains to set custom DNS domain suffixes that are automatically appended to any domain name that is not a fully qualified domain name (FQDN)

• Use the Add device button in the Machines page of the admin console to download the Tailscale client. See Add a device for details.

All platforms

• Fixed:tailscale serve configuration doesn't persist in container (#9558)
• Tailnet Lock fails to sign node in container (#9539)
• Funnel doesn't work for tsnet apps (#9566)
• UPnP potentially crashes in specific circumstances

• Webhook events are available in a format for Google Chat

All platforms

• Wikimedia DNS using DNS-over-HTTPS is supported
• Build with Go 1.21.1
• tailscale update command is unhidden on most platforms
• tailscale ping command sends an ICMP Ping code of 0
• tailscale webcommand updated to use React
• tailscale debug portmap command now has the --log-http option
• tailscale netcheck command works even if the OS platform lacks CA certificates
• UPnP falls back to a permanent lease if a limited lease fails
• WireGuard peer endpoint selections are improved

Linux

• Debian package lists the iptables and iproute2 packages as recommended, not required
• nftables support interoperates with Uncomplicated Firewall (UFW)

Windows

• tailscale bugreport logs contain additional diagnostic information
• Windows executable installer detects when it is running on Windows 7 or Windows 8.x and will automatically download the appropriate v1.44.2 MSI package, which is the final release supporting those operating systems
• Windows executable installer no longer embeds MSI packages in the executable. Instead, it automatically downloads the correct package. Users desiring the previous behavior may download the "full" executable installer at pkgs.tailscale.com.

macOS

• Shortcuts are added for finding and pinging devices
• Mullvad Exit Nodes allows you to select nodes by country and city
• Tailnet Lock reliability improvements
• Taildrop no longer replaces spaces with %20 in file names when sending files to Windows devices

iOS

• Fast user switching is available
• iOS 17 supports customized device naming from Settings
• App Shortcuts in Spotlight and Siri are supported. Try saying: "Hey Siri, connect to Tailscale" or "Hey Siri, is Tailscale connected?".
• Shortcuts are added for finding and pinging devices
• Mullvad Exit Nodes includes an option to pick the best available node
• UI accessibility improvements when using VoiceOver
• Taildrop no longer replaces spaces with %20 in file names when sending files to Windows devices
• VPN On Demand rules are no longer reset when disabled and then restarted

• Requests for OAuth access tokens may now specify a custom set of tags instead of always inheriting the tags from the OAuth client
• Requesting OAuth access tokens with invalid scopes will now fail rather than returning a token with default scopes

• Use the Tailscale Kubernetes operator to expose a Kubernetes cluster to your tailnet and securely connect to the Kubernetes control plane (alpha)

• Apple TV GA (generally available)
  • Use an Apple TV to access your media server content remotely, route Apple TV traffic through an exit node, or advertise Apple TV as an exit node

All platforms

• Stability improvements for Mullvad Exit Nodes, particularly for users on IPv4-only networks

• Use Mullvad Exit Nodes to have Mullvad VPN endpoints as exit nodes for your Tailscale network (beta)
• "Enable Mullvad VPN for tailnet" and "Disable Mullvad VPN for tailnet" are logged as configuration audit logging events when Mullvad Exit Nodes are enabled or disabled, respectively

• The Active status filter option in the Users page of the admin console is removed. Use the Billing page to track your active users instead.
• The Inactive badge and status filter option in the Users page of the admin console is renamed Idle

All platforms

• Fix a security vulnerability in UPnP port mapping (TS-2023-006)

Linux

• Fixed: Resolve nftables interaction between Tailscale and UFW which resulted in blocking subnet routed traffic

Synology

• Determine correct CPU architecture in tailscale update (#8927)

• User & group provisioning for Microsoft Entra ID (beta)
  • Sync Microsoft Entra ID groups to use in your Tailscale ACLs

All platforms

• tailscale exit-node subcommand
• --upstream flag in the tailscale version command
• The tailscale funnel command provides an interactive web UI that prompts you to allow Tailscale to enable Tailscale Funnel on your behalf
• The tailscale serve command provides an interactive web UI that prompts you to allow Tailscale to enable HTTPS and Tailscale Funnel on your behalf
• Tailnet Lock is in beta

Linux

Note: 1.48.0 introduced a regression in the interaction between Tailscale and Linux ufw. The Linux release has been withdrawn pending a fix.

• Support for nftables
• RPM packages are now fully signed
• Support for the tailscale update command on Alpine, Arch and Fedora distro families

Synology

• Support for the tailscale update command

macOS

• Support for the tailscale update command

iOS

• Support for VPN On Demand
• VPN tunnel lifecycle improvements
• Improved exit node selection
• Minor UI tweaks

• The Tailscale CLI now guides users through enabling serve and funnel.

• Log streaming integration with Panther Labs GA (generally available)
  • Use Panther Labs for Log streaming

• Tailnet Lock is now in beta
  • Use Tailnet Lock to require your nodes to verify node keys distributed by the coordination server before trusting them

• Use the Tailscale GitLab CI/CD configuration to access devices in your tailnet directly from your GitLab Runner

• View and interact with machines on your tailnet within the Tailscale extension for Visual Studio Code. Powered by Tailscale SSH, you can remotely manage files, open terminal sessions, or attach remote VS Code sessions.

• Use private endpoints (beta) in your tailnet for log streaming

• autogroup:tagged to refer to all tagged nodes in a tailnet

All platforms

• Issue with Tailnet Lock signature verification

Linux

• Crash issue on ARM64

Android

• DNS and subnet routes issue

• Syntax for autogroups now supports autogroup:member in addition to autogroup:members when referring to all users in a tailnet

• The logs:read OAuth scope can be used to grant API access to configuration audit logs
• The network-logs:read OAuth scope can be used to grant API access to network flow logs

• The tailnet policy file validation endpoint will now return warnings about SCIM synced groups in addition to errors in the response object. These will be the same warnings you would have seen visually in the admin console if you had tried to save that policy file. See the user and group provisioning documentation for more detail.

Linux

• Initial support for nftables-based configuration. This option is currently behind a temporary flag for testing and feedback. See issue #391 for details.

Windows

• Tailnet Lock is now supported

macOS

• Tailnet Lock is now supported

iOS

• Tailnet Lock is now supported
• Onboarding flow is added for easier initial setup of the app
• Ping devices on your tailnet from the app
• The app Machines page is improved
• The app Exit Node section is improved
• The app Settings page is improved

• The Tailscale iOS client is updated with significant design and engineering improvements

All platforms

• Handling of custom HTTP ports in tailscale serve

Windows

• Restore support for Microsoft Windows 7 and Microsoft Windows 8.x.
  Tailscale v1.44.2 will be the last release to support the following operating systems: Microsoft Windows 7, Microsoft Windows 8, Microsoft Windows Server 2008, and Microsoft Windows Server 2012.

• Use Panther Labs (beta) for Log streaming

Android

• Various bugs and improvements

• Updated Terms of Service
• Updated Privacy Policy

• The Tailscale GitHub Action now supports use of an OAuth client for its node authorization. The action also supports running on ARM64 nodes.

• Network flow logs GA (generally available)
  • Use Network flow logs to understand which nodes connected to which other nodes, and when, in your tailnet
• Log streaming GA (generally available)
  • Use Log streaming to stream Configuration audit logs and Network flow logs to a security information and event management (SIEM) system

• Nairobi added as a DERP region

• Description field is added to the Generate auth key dialog in the Keys page of the admin console
• Description field is added to the Generate access token dialog in the Keys page of the admin console
• Description field is added to the Generate OAuth client dialog in the OAuth clients page of the admin console

Note: This is the last release to support the following operating systems:

• macOS 10.13 High Sierra
• macOS 10.14 Mojave

Tailscale releases after 1.44.0 will no longer install on these operating systems, though we expect to maintain forward compatibility and critical security updates for 1.44.0 with future releases until at least June 30, 2024.

To install Tailscale on a High Sierra or Mojave system, visit the Purchased Items in the App Store Account page. macOS High Sierra or Mojave systems will be offered Tailscale 1.44 when the download link is clicked. If Tailscale does not appear in the Purchased Items it must first be successfully installed using a recent macOS system. The Tailscale app will then be available for the High Sierra or Mojave system to install from Purchased Items.

All platforms

• tailscale serve http command to serve over HTTP (tailnet only)
• tailscale ssh command now supports remote port forwarding
• Recursive DNS resolution is now initially supported to replace bootstrapDNS when operating in a parallel mode
• Build with Go 1.20.5
• --tun-userspace-networking stability improvements for userspace subnet routers
• MagicSock private addresses are given preference when both private and public are available, to help keep traffic in private VPCs, where possible
• Async support is removed from the portlist package. Update to use synchronous Poll() if this breaks your package.
• WatchIPNBus now only requires read-only permissions to read
• tailscale cert renewal decision is now based on the lifetime of the certificate instead of hard-coded. This better supports 14 day certificate lifetimes.

Linux

• Changed:tailscale ssh support improvements for Security-Enhanced Linux (SELinux) systems
• Changed:tailscale ssh supports user names with up to 256 characters
• build_dist.sh better supports operating systems and CPU architectures which Tailscale release builds do not include
• The iputils package can now be installed on Alpine-based Docker containers

Windows

• PreferGo supports better DNS caching

macOS

• ICMP6 forwarding works as expected when running as a subnet router

FreeBSD

• ICMP6 forwarding works as expected when running as a subnet router

OpenBSD

• ICMP6 forwarding works as expected when running as a subnet router

WASI

• tsnet applications compiled to WebAssembly are now better supported

• The Tailscale app for QNAP is now available in the QNAP App Center

• IPv6 addresses can now be directly specified in ACL rules and tests.

• Codeberg and Gitea supported as custom OIDC providers

• Edit group membership in the Users page of the admin console

• Setup for custom OIDC providers provides the option for specifying a prompt (none, consent, login, select_account) for the user authentication page. If your tailnet was already using a custom OIDC provider, we updated your setup automatically to use consent, which prior to today was the only supported value.

• Ping Identity is now available as a custom OIDC provider

• Changed: When logging in to a node that has an expired key in a tailnet that has enabled Tailnet Lock, an error message is returned, directing you to reauthenticate instead of logging in, or to delete the machine from within the admin console before logging in again

• Invite any user to your tailnet with a URL invitation (beta)
• "User joined external tailnet" is logged as a configuration audit logging event when a user in your tailnet joins another tailnet

• The Leave tailnet option has been added to the Tailscale Login page
• The Leave tailnet menu option has been added to the Users page of the admin console for the selected user
• "User left external tailnet" is logged as a configuration audit logging event when a user in your tailnet leaves another tailnet

• Use a passkey to authenticate to a tailnet (beta)
• Sign in with passkey option is added to the Tailscale Login page

• Use the Tailscale extension for Visual Studio Code to interact with resources in your tailnet from within the VS Code IDE (beta)

• Manage Tailnet Lock from the Device management page of the admin console, when enabled
• Improved UI for Tailnet Lock settings in the Machines page of the admin console

Note: This is the last release to support the following operating systems:

• Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows Server 2008
• Microsoft Windows Server 2012

Tailscale releases after 1.42.0 will no longer install on these operating systems, though we expect to maintain forward compatibility and critical security updates for 1.42.0 with future releases until at least May 31, 2024.

Note: Do not install this version of the Tailscale client on macOS 10.13. Upgrade to version 1.44.0 instead.

All platforms

• tailscale serve reset command to clear out the current serve configuration
• Changed: Update internal DNS handling to better support mixtures of global and private DNS servers

Linux

• SSH login on platforms which lack getent

Windows

Note: This release switches to a new application signing certificate, which is valid through 2025.

• Notification icons are updated

macOS

• Update Sparkle to check more regularly
• Taildrop delivery of incomplete files

iOS

• Delete Account button to redirect to the admin panel
• Better handle memory management to avoid hitting 50 MByte memory limit

Unraid

• Support Unraid as a NAS platform similar to how Synology and QNAP are handled

Kubernetes

• Support for priorityClassName

• ACL tags for auth keys created via API are lowercased

• Custom OIDC providers (generally available)
  • Use a custom OIDC provider for authentication to your tailnet

• Webhook events are available in formats for Discord and Mattermost

• Use Tailscale SSH session recording to stream Tailscale SSH session logs to a designated node in your tailnet (beta)

Linux

• Tailscale SSH is now supported for LDAP users
• Support for Tailscale SSH session recording to a local file is restored
• Debian and RPM packages for MIPS architecture generate as expected

Windows

• Notification icons are updated
• The 32-bit Windows installer for the Tailscale client works as expected

macOS

• tailscale cert command no longer causes timeout failures

Kubernetes

• The Tailscale version displays in the startup logs

• Authelia is now available as a custom OIDC provider (beta)

• Apple is now available as a supported SSO identity provider, for all plans

• Use Search Domains to configure DNS for accessing network resources without having to specify the full domain path (beta)

• "Create logstream endpoint for tailnet", "Update logstream endpoint for tailnet", and "Delete logstream endpoint for tailnet" are logged as configuration audit logging events for Log streaming

• Use Log streaming to stream configuration audit logs and network flow logs to a security information and event management (SIEM) system (beta)

All platforms

• tailscale up --force-reauth will now display a warning and 5 second countdown if you are connected over SSH over Tailscale, unless --accept-risk=lose-ssh is also given
• Tailscale now dynamically increases the buffer size for DERP relay messages based on the amount of available RAM (#7776)
• Improvements were made to how Tailscale advertises available endpoints to reduce the likelihood of a spurious loss of direct connections (#7877)

Linux

• Substantially higher throughput—for details, see Surpassing 10Gb/s over Tailscale
• Improved CPU consumption on systems with a very large (1M+) routing table

Windows

• Redo migration of pre-Fast-User-Switching state for better robustness

macOS

• "Settings" replaces "Preferences" as a menu item on macOS Ventura

Android

• Added intents com.tailscale.ipn.CONNECT_VPN and com.tailscale.ipn.DISCONNECT_VPN

gokrazy

• Tailscale SSH now works

QNAP

• UI failure after reboot

• The Machines page of the admin console has been updated to use Version as a column heading instead of OS, and to show the Tailscale client version prior to the operating system name

• "Update auto approved routes for node" is logged as a configuration audit logging event for routes advertised by the node that are updated using autogroups
• "Update approved routes for node" replaces "Update advertised routes for node" in Configuration audit logging events

• nodeDeleted webhook event is now generated when a node is removed from the tailnet, including automatic removal of ephemeral nodes

• Sync Tailscale ACLs GitLab CI Template to keep your tailnet policy file in GitLab, and automatically run tests and push changes to Tailscale

• autogroup:billing-admin and autogroup:auditor added as autogroups

• "Enable network flow logging for tailnet" and "Disable network flow logging for tailnet" are logged as Configuration audit logging events for Network flow logs

• The Billing page of the admin console is updated to show new Tailscale pricing plans and a tailnet's monthly active users

• Use Network flow logs to understand which nodes connected to which other nodes, and when, in your tailnet (beta)

• Auth0, Authentik, Dex, Duo, GitLab, JumpCloud, Keycloak, Ory, and ZITADEL are now available as custom OIDC providers (beta)

• The available pricing plans are Free, Starter, Premium, and Enterprise. Community on GitHub projects remain free, and discounts remain available for charities, not-for-profit organizations, and educational institutions. If you want, you can keep your old plan until at least April 30, 2024.
• The Free plan has three free users
• All plans only pay for incremental usage above three users

• autogroup:admin, autogroup:it-admin, autogroup:network-admin, and autogroup:owner added as autogroups

• Click on a machine's IP address in the Machines page of the admin console to display a machine address copy card. Within the machine address card, click to copy the MagicDNS name, IPV4 address, or IPV6 address of the machine to your clipboard.

All platforms

• Build with Go 1.20.3 to address security fixes (CVE-2023-24537, CVE-2023-24538, CVE-2023-24534, and CVE-2023-24536). These address potential DoS attacks against DNS over HTTPS and Funnel that can occur over the public internet, and PeerAPI attacks launched from other nodes already on the tailnet.
• Added path support for proxy targets with tailscale serve
• Error displays when trying to use Funnel and tailscale up --shields-up simultaneously

Windows

• When connected to a Windows 10 client using Windows RDP, the Tailscale taskbar right-click option for the remote client works as expected (#7698)

• "Log in using the web interface" and "Log out using the web interface" are logged as Configuration audit logging events for the Member user role. These events differentiate logins from users with access to the admin console.

• Tailnet Lock works with shared nodes and Tailscale SSH console

• Tailscale Funnel (beta)
  • Route traffic from the wider internet to one or more of your Tailscale nodes.

All platforms

• Support for stripping HTTP request paths from Funnel proxy routes (#6571)
• Tailscale Funnel is now beta
• tailscale serve issue that did not use actual SrcAddr as X-Forwarded-For

Linux

• Certificate storage issue that did not actually use Kubernetes secrets

Windows

• Upgraded the Walk framework for the GUI client to improve menu responsiveness