Changelog on Tailscale

View device posture status

Wed, 29 Apr 2026 00:00:00 GMT

New: View the device posture status of a machine in your tailnet by using the Machines page of the admin console.

GitOps for Tailscale with GitHub Actions v1.5.2

Mon, 27 Apr 2026 00:00:00 GMT

A new release of GitOps for Tailscale with GitHub Actions is available. You can download it from the GitHub Actions Marketplace.

Fixed: Update dependencies to remove Node 20 deprecation warning.

Aperture

Thu, 23 Apr 2026 00:00:00 GMT

Use Aperture (beta) to secure and manage your LLM agents with a single control plane across all your providers and models.

New: Create custom guardrails with pre-LLM-call hooks to strip or block PII and restrict specific agent tools before requests reach the LLM.
New: Configure log retention time down to zero for request/response capture logs, with S3-compatible export supported.
New: Audit logs for configuration changes and when admins view logs owned by other users are available using a new API endpoint and UI.
Changed: Set customizable quotas across providers, models, users, agents, or individual agent runs.

Access API-only tailnets with OAuth clients

Thu, 23 Apr 2026 00:00:00 GMT

New: API-only tailnets can be accessed by any OAuth client with the all scope in the creating tailnet.

Seat calculator

Wed, 22 Apr 2026 00:00:00 GMT

New: A seat calculator is available to help you understand seat consumption on your account before upgrading to a new plan.

New pricing and packaging

Wed, 08 Apr 2026 00:00:00 GMT

Changed: New tailnet plan signups are billed based on occupied user seats instead of monthly active users. Existing tailnets on a legacy plan will continue to be billed based on monthly active users.
Changed: All plans can have an unlimited number of user devices in a tailnet.
Changed: The Personal plan provides up to six free users instead of the previous three users.
Changed: Ephemeral node usage is free up to a monthly limit, by pricing plan. After four hours in the tailnet, nodes are treated as standard tagged devices and stop consuming ephemeral minutes.
Changed: As part of the Personal plan change, Aperture by Tailscale also provides for up to six free users during the alpha testing phase.
Changed: The Starter plan is no longer available as a plan option for new signups. The new Standard plan is the closest equivalent option.
Changed: Promo codes can be applied to existing plans. Previously, promo codes could only be applied when upgrading to a new plan.

For more information about our pricing plans and the features available for each plan, refer to Pricing and Pricing FAQs.

Tailscale container image v1.96.5

Tue, 07 Apr 2026 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

New: Services are now automatically advertised on startup. This can be disabled by setting the new environment variable, TS_EXPERIMENTAL_SERVICE_AUTO_ADVERTISEMENT, to false.
Fixed: The Tailscale container no longer tries to create a secret using TS_KUBE_SECRET when the variable is empty.

Tailscale Kubernetes Operator v1.96.5

Tue, 07 Apr 2026 00:00:00 GMT

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

New: Ingress and Egress ProxyGroup pods are able to request a new authkey when required.
New: Multiple tailnet access can be enabled with the use of the new Tailnet custom resource.
New: ProxyGroup creation controls can be managed by namespace with the new ProxyGroupPolicy custom resource.
Changed: The environment variable TS_EXPERIMENTAL_KUBE_API_EVENTS is removed. This can instead be set via Tailscale ACLs.
Fixed: The environment variable TS_LOCAL_ADDR_PORT no longer fails when it is populated with an IPv6 address without brackets.

Tailscale tsrecorder v1.96.5

Tue, 07 Apr 2026 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Changed: The Recorder CRD defaults to deploying a single replica StatefulSet, using the filesystem storage backend`.

Tailscale v1.96.5

Mon, 30 Mar 2026 00:00:00 GMT

iOS

Fixed: An issue that could cause the network extension to encounter an out of memory condition on large tailnets is resolved.

tvOS

Fixed: An issue that could cause the network extension to encounter an out of memory condition on large tailnets is resolved.

Tailscale v1.96.4

Fri, 27 Mar 2026 00:00:00 GMT

Linux

Fixed: An issue on forks of Linux caused by fallback-on-ENOSYS logic is resolved.
Fixed: An issue that could cause a segmentation violation during startup on MIPS devices is resolved.

Android

Fixed: An issue causing a deadlock when disconnecting from a tailnet is resolved.

Synology

Fixed: An issue on forks of Synology Linux caused by fallback-on-ENOSYS logic is resolved.

Tailscale v1.96.3

Thu, 19 Mar 2026 00:00:00 GMT

Windows

Fixed: DNS resolution issue caused by NRPT rule formatting is resolved.

Tailscale v1.96.2

Wed, 18 Mar 2026 00:00:00 GMT

Note: 1.96.0 and 1.96.1 were release candidates intended for testing only.

All Platforms

New: tailscale dns query|status command supports --json flag to return JSON output.
New: tailscale wait [flags] command waits for Tailscale resources to become available for binding.
New: tailscale ip command supports --assert=<specific-ip-address> flag to assert that one or more of the node's IP addresses matches the specified IP address.
New: tailscale version --track and tailscale update --track support release-candidate flag to check for and update to release candidate builds.
Changed: For 1.96.x, Go is updated from version 1.25 to 1.26.
Changed: Tailscale Peer Relays advertise addresses discovered via Amazon EC2 Instance Metadata Service.
Changed: tailscaled_peer_relay_endpoints gauge user metrics are available for Tailscale Peer Relays.
Fixed: The AuthKey system policy applies only when a user is not in a logged in state.
Fixed: UPnP routes as expected during long lived port mapping sessions scenarios, including hard NAT.

Linux

New: Launch the systray application on startup using autostart file with the tailscale configure systray --enable-startup=freedesktop command.
Changed: Scaling of Tailscale Peer Relays UDP sockets is gated by container-aware GOMAXPROCS defaults.
Fixed: Firewall rules created on Linux platforms correctly mark their traffic, avoiding reverse path filtering dropping connections and producing health warnings and risk prompts.
Fixed: OpenWrt versions 25.12.0 or later using apk as a package manager supports Tailscale updates.

macOS

New: Windowed UI mode for macOS is generally available.
New: Double click an account in the Accounts section to switch to that account.
New: A progress dialog indicates Tailscale is waiting on the browser to complete reauthentication.
Fixed: The open source variant of Tailscale on macOS sets the node:osVersion attribute.
Fixed: The Taildrop Send File action and shortcut do not transmit empty files on macOS Tahoe (version 26) or later.
Fixed: Tailscale data directories for the macOS standalone version are excluded from Time Machine backups.
Fixed: An issue that required a machine reboot after installing a Tailscale update is resolved.

iOS

Changed: iOS bug report ID displays in its entirety instead of being truncated.
Fixed: The Taildrop Send File action and shortcut do not transmit empty files on iOS version 26 or later.

Workload identity federation GA

Thu, 19 Feb 2026 00:00:00 GMT

Changed: Use workload identity federation (generally available) to authenticate Tailscale API requests with federated OIDC workload identities from third-party providers.

Fleet device posture integration

Wed, 18 Feb 2026 00:00:00 GMT

New: Use Fleet Device Management to collect device posture signals from devices in your tailnet.

Huntress device posture integration

Wed, 18 Feb 2026 00:00:00 GMT

New: Use Huntress Managed EDR to collect device posture signals from devices in your tailnet.

Tailscale Peer Relays GA

Wed, 18 Feb 2026 00:00:00 GMT

Changed: Use Tailscale Peer Relays to set up self-hosted high-throughput relay servers when direct connections aren't possible (generally available).

Aperture by Tailscale

Tue, 17 Feb 2026 00:00:00 GMT

New: Use Aperture by Tailscale to secure and monitor LLM sessions and AI agents (alpha).

Tailscale Kubernetes Operator v1.94.2

Fri, 13 Feb 2026 00:00:00 GMT

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

Fixed: Configuring a single invalid Tailscale FQDN for an egress will no longer cause the egress to crash. It will instead log the error and continuing serving traffic.

Tailscale v1.94.2

Thu, 12 Feb 2026 00:00:00 GMT

All Platforms

Fixed: Memory leak caused by high network map response rates is resolved.

Tailscale container image v1.94.1

Thu, 05 Feb 2026 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

New: OAuth and workload identity federation support has been added for containers.

Tailscale Kubernetes Operator v1.94.1

Thu, 05 Feb 2026 00:00:00 GMT

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

New: The Egress proxy can now send traffic to Tailscale service VIPs.
New: Use Kubenetes API server proxy audit logging (beta) to record Kubernetes API events on your cluster, in addition to or instead of entire recordings, that pass through your Kubernetes Operator API server proxy.
Fixed: In high availability (HA) mode, the write replica no longer serves stale TLS certificates after renewal.
Fixed: Setting container resources for the Tailscale container will no longer result in an invalid value error for “1Mi.”

Tailscale tsrecorder v1.94.1

Thu, 05 Feb 2026 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Log streaming integration with Google Cloud Storage

Wed, 04 Feb 2026 00:00:00 GMT

New: Tailscale network flow logs and configuration audit logs can be streamed to Google Cloud Storage (GCS).

Workload identity federation updates

Fri, 30 Jan 2026 00:00:00 GMT

New: Workload identity federation supports provider-native identity token authentication for GitOps for Tailscale with GitHub Actions and GitOps for Tailscale with GitLab CI.
New: Token exchange error details for a federated identity can be found in the Trust credentials page of the admin console.

Tailscale Services GA

Tue, 27 Jan 2026 00:00:00 GMT

Changed: Use Tailscale Services to decouple applications and services from the devices that host them (generally available).

tsnet integration for Tailscale Services

Tue, 27 Jan 2026 00:00:00 GMT

New: tsnet application support for Tailscale Services hosts.

Tailscale v1.94.1

Mon, 26 Jan 2026 00:00:00 GMT

Note: 1.94.0 was a release candidate intended for testing only.

All Platforms

New: tailscaled_home_derp_region_id client metrics are available.
New: tailscaled_peer_relay_forwarded_packets_total and tailscaled_peer_relay_forwarded_bytes_total client metrics are available for Tailscale Peer Relays.
New: Identity tokens are automatically generated for workload identities.
New: --audience flag added to tailscale up command to support auto generation of ID tokens for workload identity.
New: tsnet nodes can host Tailscale Services.
Changed: The tailscale lock status -json command returns tailnet key authority (TKA) data in a stable format.
Changed: Tailscale Peer Relays deliver improved throughput through monotonic time comparison optimizations and reduced lock contention.
Changed: Tailscale Services virtual IPs are now automatically accepted by clients across all platforms regardless of the status of the --accept-routes feature.

Linux

New: Custom DERP servers support Google Cloud Platform (GCP) Certificate Manager.
New: Tailscale SSH authentication, when successful, results in LOGIN audit messages being sent to the kernel audit subsystem.
Changed: Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket option is supported on multi-core systems.
Fixed: Tailscale Peer Relay server handshake transmission is guarded against routing loops over Tailscale.
Fixed: MagicDNS always resolves when using resolve.conf without a DNS manager.

macOS

New: AuthBrowser.macos system policy sets a preferred browser for opening automatic authentication URLs.
New: HideDockIcon system policy determines if the Tailscale Dock icon persists after all Tailscale windows close.
New: Install and automatically update to release candidate versions of the client in the About section, Release Channel drop-down.
Fixed: DNS related health warnings no longer display when Tailscale DNS is disabled.
Fixed: tssentinelId command injection vulnerability has been removed. This fix addresses a security vulnerability described in TS-2026-001.
Fixed: Ping view is Tailscale Peer Relay aware.

iOS

Fixed: Ping view is Tailscale Peer Relay aware.

tvOS

New: Use Tailscale Subnets toggle is added in Subnet Routing Settings.
Fixed: Ping view is Tailscale Peer Relay aware.

Android

Fixed: Ping view is Tailscale Peer Relay aware.

IS SET and NOT SET device posture operators

Thu, 22 Jan 2026 00:00:00 GMT

New: IS SET and NOT SET have been added as device posture operators.

India DERP Region City Name updated

Wed, 21 Jan 2026 00:00:00 GMT

Changed: The city name for the DERP server hosted in India has been updated to reflect the official name of Bengaluru. The hosting provider and IP addresses remain unchanged.

Tailscale v1.92.5

Tue, 06 Jan 2026 00:00:00 GMT

Linux

Changed: State file encryption and hardware attestation keys are no longer enabled by default.
Fixed: Failure to load hardware attestation keys no longer prevents the client from starting. This could happen when the TPM device is reset or replaced.

Windows

Changed: State file encryption and hardware attestation keys are no longer enabled by default.
Fixed: Failure to load hardware attestation keys no longer prevents the client from starting. This could happen when the TPM device is reset or replaced.

Tailscale container image v1.92.5

Tue, 06 Jan 2026 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Fixed: Hardware attestation keys are no longer added to Kubernetes state Secrets, making it possible to change the Kubernetes node the Tailscale containers are deployed on.

Tailscale Kubernetes Operator v1.92.5

Tue, 06 Jan 2026 00:00:00 GMT

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

Changed: Certificate renewal is no longer done as an ARI order by default to avoid renewal failure if ACME account keys are recreated.
Fixed: Hardware attestation keys are no longer added to Kubernetes state Secrets, making it possible to change the Kubernetes node the Tailscale Kubernetes Operator is deployed on.

Tailscale tsrecorder v1.92.5

Tue, 06 Jan 2026 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Workload identity federation API

Mon, 05 Jan 2026 00:00:00 GMT

New: The Tailscale API supports creating, reading, updating, and deleting federated identities.
New: tailscale-client-go-v2 can configure federated identities.
New: The Tailscale Terraform provider can configure federated identities.

Tailscale GitHub Action v4.1.1

Tue, 23 Dec 2025 00:00:00 GMT

Fixed: The Tailscale GitHub Action uses the correct architecture for storing and retrieving caches on macOS-based GitHub runners.

Tailscale container image v1.92.4

Thu, 18 Dec 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Fixed: Ensure errors for background certificate renewal failures are logged.

Tailscale Kubernetes Operator v1.92.4

Thu, 18 Dec 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

Fixed: A Helm templating issue that occurred when an OAuth client secret was not set, is resolved.

Tailscale tsrecorder v1.92.4

Thu, 18 Dec 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale container image v1.92.3

Wed, 17 Dec 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Fixed: iptables can be used on hosts that don't support nftables, as expected.

Tailscale Kubernetes Operator v1.92.3

Wed, 17 Dec 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

New: The operator supports workload identity federation for authenticating to a tailnet using provider-native identity tokens.
New: tailscale.com/http-redirect annotation can be applied to Ingress resources for enabling HTTP to HTTPS redirects.
Changed: The operator defaults to using the stable image for nameservers deployed using the DNSConfig resource.
Changed: Recorder resources can specify a replica count for highly available deployments. Using multiple replicas requires using an S3 storage backend.
Fixed: ArgoCD compatibility is improved. You can use both boolean and string values when setting the apiServerProxyConfig.mode and apiServerProxyConfig.allowImpersonation values.
Fixed: The operator correctly reconciles managed Ingresses sharing the same namespace as other unmanaged Ingresses.
Fixed: ProxyGroup backed ingresses no longer get stuck during deletion if they use a Tailscale Service that had been deleted.

Tailscale tsrecorder v1.92.3

Wed, 17 Dec 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

New: tsrecorder can use a file containing an auth key for authentication using the TS_AUTHKEY_FILE environment variable.

Tailscale v1.92.3

Tue, 16 Dec 2025 00:00:00 GMT

All platforms

Fixed: WireGuard configuration that occurs automatically in the client, no longer results in a panic.

macOS

Fixed: Tailscale system extension no longer fails to install during an upgrade.

Tailscale v1.92.1

Wed, 10 Dec 2025 00:00:00 GMT

Note: 1.92.0 was a release candidate intended for testing only.

All platforms

New: Tailscale Funnel and Tailscale Serve support the PROXY protocol, a header format that forwards information about the original client connection, such as the source IP and port, to the server before the actual traffic begins.
New: Tailscale Peer Relays can use static endpoints using the tailscale set command with the --relay-server-static-endpoints flag.
New: Tailscale Services can be configured to use a remote target as a service destination.
New: Nodes can authenticate using workload identity federation with the tailscale up command flags --client-id and --id-token.
New: Network flow logs automatically record node information about itself and peers it communicates with.
Changed: Tailnet Lock command tailscale lock log --json response returns Authority Update Messages (AUMs) in a more stable format.
Changed: Tailscale Peer Relay endpoint advertisements include more candidate IP:port pairs.
Fixed: Tailscale Peer Relays support multiple, forward bind packets per handshake generation, which improves path selection and chances of completing a handshake.

macOS

Fixed: Redundant label text for VoiceOver is removed from the exit node picker.

iOS

New: Taildrop supported nodes are shown in Device Details.
Fixed: Redundant label text for VoiceOver is removed from the exit node picker.

Tailscale v1.92.2

Wed, 10 Dec 2025 00:00:00 GMT

macOS

Fixed: Taildrop works as expected using the macOS Share option.

Android

Fixed: An issue in custom control servers (Headscale) that could result in connectivity problems is resolved.

Tailscale v1.90.9

Tue, 25 Nov 2025 00:00:00 GMT

All platforms

Fixed: tailscaled no longer deadlocks during event bursts.
Fixed: The client no longer hangs after wake up when port mapping is in use and interfaces are slow to become available.

Android

Fixed: DNS continues working when switching from cellular to Wi-Fi connections.

Tailscale container image v1.90.9

Tue, 25 Nov 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Fixed: tailscaled no longer deadlocks during event bursts.
Fixed: The client no longer hangs after wake up when port mapping is in use and interfaces are slow to become available.

Tailscale Kubernetes operator v1.90.9

Tue, 25 Nov 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Note: This version contains no changes except for library updates.

Tailscale tsrecorder v1.90.9

Tue, 25 Nov 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale v1.90.8

Wed, 19 Nov 2025 00:00:00 GMT

Note: v1.90.7 was an internal-only release.

All platforms

Fixed: Panic issue related to Peer Relays is resolved.
Fixed: Deadlock issue no longer occurs when handling Peer Relays endpoint allocation requests.
Fixed: Memory leak in Peer Relays is resolved.

Linux

Fixed: Nodes without the tailscaled --statedir flag or the TS_STATE_DIR environment variable no longer fail to enforce signing checks in tailnets with Tailnet Lock enabled. This fix addresses a security vulnerability described in TS-2025-008.

macOS

Fixed: Connectivity issue related to sleep and wake is resolved.

Tailscale container image v1.90.8

Wed, 19 Nov 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Fixed: Nodes without the tailscaled --statedir flag or the TS_STATE_DIR environment variable no longer fail to enforce signing checks in tailnets with Tailnet Lock enabled. This fix addresses a security vulnerability described in TS-2025-008.

Tailscale Kubernetes operator v1.90.8

Wed, 19 Nov 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Note: This version contains no changes except for library updates.

Tailscale tsrecorder v1.90.8

Wed, 19 Nov 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

IP changes to Tailscale's logging infrastructure

Thu, 13 Nov 2025 00:00:00 GMT

Changed: The domain log.tailscale.com resolves to static IP address ranges registered and managed by Tailscale. If IP-based rules are required for your firewall, use the IPv4 range 199.165.136.0/24 and the IPv6 range 2606:B740:1::/48.

Note: In most cases, you do not need to configure firewall rules to use Tailscale. For more information, refer to What firewall ports should I open to use Tailscale?

Tailscale v1.90.6

Fri, 31 Oct 2025 00:00:00 GMT

App connectors

Fixed: Routes no longer stall and fail to apply when updated repeatedly in a short period of time.

Tailscale container image v1.90.6

Fri, 31 Oct 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Fixed: App connector routes no longer stall and fail to apply when updated repeatedly in a short period of time.

Tailscale Kubernetes operator v1.90.6

Fri, 31 Oct 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Note: This version contains no changes except for library updates.

Tailscale tsrecorder v1.90.6

Fri, 31 Oct 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale v1.90.5

Thu, 30 Oct 2025 00:00:00 GMT

Linux

Fixed: Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This affected tailnets that use Tailscale SSH recording.

Tailscale container image v1.90.5

Thu, 30 Oct 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

Tailscale Kubernetes operator v1.90.5

Thu, 30 Oct 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

New: DNSConfig nameserver supports Pods with IPv6 addresses and will serve AAAA records.
New: DNSConfig nameserver supports specifying a replica count for high-availability deployment.
New: DNSConfig nameserver supports specifying pod tolerations.
New: ProxyClass now supports the dnsConfig and dnsPolicy fields for refined DNS specifications.
Changed: Reconciler logs are now sent to the Tailscale control plane in addition to the core client logs that are already sent. As before, this can be disabled by setting the TS_NO_LOGS_NO_SUPPORT environment variable to true within the operator deployment.

Tailscale tsrecorder v1.90.5

Thu, 30 Oct 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Changed: tsrecorder is updated with web interface search, filtering, and enhanced design. The web interface supports freeform text search for corresponding metadata such as user ID, date, and invoked commands.
Fixed: kubectl exec sessions record as expected.
Fixed: Cached recordings on large datasets no longer fail if the caching process exceeds one minute.
Fixed: Recordings are no longer stopped when a session exceeds one minute.

Workload identity federation

Thu, 30 Oct 2025 00:00:00 GMT

New: Use workload identity federation (beta) for creation of federated OIDC workload identities from third-party providers to authenticate requests to the Tailscale API.
New: tailscale-client-go-v2 can use workload identity federation for authentication.
New: The Tailscale Terraform provider can use workload identity federation for authentication.
New: The Tailscale GitHub Action can use workload identity federation for auth key generation.
New: The tailscale up command can use workload identity federation for auth key generation.
New: OAuth client scopes and descriptions are editable in the Trust credentials page of the admin console.
Changed: The Trust credentials page of the admin console replaces the OAuth clients page.

Multiple tailnets for a single organization

Wed, 29 Oct 2025 00:00:00 GMT

New: Administer multiple tailnets (alpha) under a single organization, using a common identity provider and domain.

Tailscale Peer Relays

Wed, 29 Oct 2025 00:00:00 GMT

New: Use Tailscale Peer Relays for client-to-client connections when direct connections aren't possible (beta).

Visual policy editor (GA)

Wed, 29 Oct 2025 00:00:00 GMT

Changed: Use the visual policy editor to create and manage your tailnet policy file (generally available).

Tailscale v1.90.4

Tue, 28 Oct 2025 00:00:00 GMT

All platforms

Fixed: A deadlock issue no longer occurs in the client when checking for the network to be available.

Linux

Fixed: tailscaled no longer sporadically panics when a Trusted Platform Module (TPM) device is present.

Windows

Fixed: tailscaled no longer sporadically panics when a Trusted Platform Module (TPM) device is present.

WASM

Fixed: The JS/WASM client used by tsconnect no longer crashes unexpectedly.

Tailscale Services

Tue, 28 Oct 2025 00:00:00 GMT

New: Use Tailscale Services to decouple applications and services from the devices that host them (beta).

Tailscale v1.90.3

Mon, 27 Oct 2025 00:00:00 GMT

All platforms

Fixed: tailscaled shuts down as expected and without panic.

Linux

Fixed: tailscaled starts up as expected in a no router configuration environment.

macOS

Fixed: The Tailscale dock icon closes as expected when the client is not using the windowed UI (beta).

FreeBSD

Fixed: tailscaled starts up as expected in a no router configuration environment.

OpenBSD

Fixed: tailscaled starts up as expected in a no router configuration environment.

Tailscale v1.90.2

Fri, 24 Oct 2025 00:00:00 GMT

Linux

Fixed: An iptables regression on non-amd64/arm64 platforms is resolved, and the client starts as expected.
Fixed: Running Tailscale on devices equipped with Trusted Platform Module (TPM) 1.x no longer causes the tailscaled daemon to fail.

Tailscale GitHub Action v4.0.3

Fri, 24 Oct 2025 00:00:00 GMT

Fixed: The Tailscale GitHub Action stops the background Tailscale processes when a CI job finishes.
Fixed: The Tailscale GitHub Action validates that tags are specified when using an OAuth client.

Tailscale v1.90.1

Thu, 23 Oct 2025 00:00:00 GMT

Note: 1.90.0 was a release candidate intended for testing only.

All platforms

New: Clients can use configured DNS resolvers for all domains even when the client also uses an exit node using the nameserver settings in the DNS page of the admin console.
New: Node keys will be renewed seamlessly, so clients will maintain existing connections while re-authenticating.
Changed: Go is updated to version 1.25.3.
Fixed: Unnecessary path discovery packets over DERP servers are suppressed.

Linux

Changed: Node key sealing is GA (generally available) and enabled by default. Existing nodes will migrate to node key sealing automatically on upgrade. For more information, including how to opt out, refer to Secure node state storage.

Windows

Changed: Node key sealing is GA (generally available) and enabled by default. For more information, refer to Secure node state storage.

macOS

New: The Hide Dock Icon checkbox located in Settings lets you remove the Tailscale icon from the macOS dock when the client window is closed.
Changed: The tailscale drive CLI command for sharing Taildrive directories is no longer available. Use the client GUI for sharing directories instead.
Changed: Node key sealing is GA (generally available) and enabled by default. For more information, refer to Secure node state storage.
Fixed: Exit node selection using the macOS Shortcuts app work as expected.
Fixed: Accounts displayed using the macOS menu bar Tailscale icon load as expected.
Fixed: Client users preference for automatic/recommended exit node selection is remembered as expected.

iOS

Fixed: Exit node selection using the iOS Shortcuts app work as expected.
Fixed: Client users preference for automatic/recommended exit node selection is remembered as expected.

Android

Fixed: Client is able to establish direct connections as expected.

Tailnet name type changes in the admin console

Thu, 16 Oct 2025 00:00:00 GMT

Note: For more in-depth details about all the tailnet names and types, refer to Tailnet name types.

New: The Display name field is added to the Settings > General page of the admin console. This is an optional field that lets you assign a custom display name to your tailnet that appears in the admin console, client UI, and client CLI, instead of your domain or email address.
New: The Tailnet ID field is added to the Settings > General page of the admin console. This string should be used in the tailnetId field for Tailscale API path parameters instead of your organization name.
Changed: The Organization field in Settings > General page of the admin console is renamed Legacy ID. This field will continue to display for existing tailnets but will not display for newly created tailnets.

Tailscale GitHub Action v4.0.2

Wed, 15 Oct 2025 00:00:00 GMT

Fixed: The Tailscale GitHub Action no longer logs the output of all shell commands to the runner's console unless debug logging is enabled.
Fixed: The Tailscale GitHub Action masks authentication secrets in logs unless debug logging is enabled.

Tailscale v1.88.4

Tue, 14 Oct 2025 00:00:00 GMT

macOS

Fixed: The macOS Firewall system setting Block all incoming connections no longer causes intermittent connectivity disruptions when enabled.

Tailscale container image v1.88.4

Tue, 14 Oct 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

Tailscale GitHub Action v4.0.1

Tue, 14 Oct 2025 00:00:00 GMT

Fixed: The Tailscale GitHub Action no longer logs the output of the tailscale status command to the runner's console.

Tailscale GitHub Action v4.0.0

Tue, 14 Oct 2025 00:00:00 GMT

New: The Tailscale GitHub Action supports a ping parameter to verify connectivity to tailnet devices.
New: The Tailscale GitHub Action logs out the Tailscale ephemeral node at the end of the CI run, removing it from the tailnet immediately.
New: The Tailscale GitHub Action is implemented as a JavaScript action and requires runners that are capable of installing Node.js 24.
Changed: Caching of Tailscale binaries is enabled by default.
Fixed: DNS resolvers are properly set on macOS. Previously, attempting to reach devices using their full domain of the form my-node.my-tailnet.ts.net would fail due to incorrect DNS settings.

Tailscale Kubernetes operator v1.88.4

Tue, 14 Oct 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Note: This version contains no changes except for library updates.

Preset app support for Amazon AWS, Salesforce (Hyperforce), and Microsoft 365

Tue, 14 Oct 2025 00:00:00 GMT

New: Preset apps are available for Amazon AWS services such as Amazon CloudFront, Amazon EC2, and Amazon S3, Salesforce (Hyperforce), and Microsoft 365.

Tailscale tsrecorder v1.88.4

Tue, 14 Oct 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Expanded `autogroup:self` compatibility

Thu, 09 Oct 2025 00:00:00 GMT

Updated: Use autogroup:self as a destination for any grant, ACL, or SSH src that includes autogroup:<role>, groups, or individual users in the tailnet policy file.

Updated devices API

Wed, 08 Oct 2025 00:00:00 GMT

Changed: The Read and List endpoint responses in the Devices API include a connectedToControl flag, which indicates whether the device has recently connected to the Tailscale control server.
Changed: The lastSeen field is included only when connectedToControl is false.

Tailscale container image v1.88.3

Mon, 29 Sep 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

Tailscale Kubernetes operator v1.88.3

Mon, 29 Sep 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Note: This version contains no changes except for library updates.

Tailscale tsrecorder v1.88.3

Mon, 29 Sep 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale v1.88.3

Thu, 25 Sep 2025 00:00:00 GMT

All platforms

Fixed: Control plane connection issues which might have resulted in timing out during retries.

macOS

Fixed: Taildrive list of devices loads as expected when selecting File Sharing > Choose Shared Folders.

iOS

Fixed: The UI and device list display as expected when initially connecting to the tailnet.

OpenBSD

Fixed: The client starts as expected when using the tailscale up command for the first time or re-authenticating a node.

Tailscale container image v1.88.2

Thu, 18 Sep 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Fixed: Kubernetes sidecars no longer error on first run if their state Secret doesn't exist.

Tailscale Kubernetes operator v1.88.2

Thu, 18 Sep 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

New: ProxyClass resources supports setting a priorityClassName for created Pods.
New: Connector resources can specify multiple replicas for highly available subnet routers, app connectors, and exit nodes.
Fixed: DNSConfig resource works as expected for egress ProxyGroups.
Fixed: Multi-cluster ingress devices no longer display an erroneous "Invalid certificate" message in the Machines page of the admin console.

Tailscale tsrecorder v1.88.2

Thu, 18 Sep 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale v1.88.2

Wed, 17 Sep 2025 00:00:00 GMT

macOS

Fixed: The Settings button displays correctly when no account is logged in to the client.
Fixed: UserDefaults, which apps and system policies use to store and read preferences, force string values like true or 1 into Booleans as expected.

iOS

Fixed: UserDefaults, which apps and system policies use to store and read preferences, force string values like true or 1 into Booleans as expected.

Tailscale v1.88.1

Thu, 11 Sep 2025 00:00:00 GMT

Note: v1.88.0 was an internal-only release.

All platforms

Changed: Tailscale CLI prompts users to confirm with y/n before proceeding with impactful actions.
Changed: Go is updated to version 1.25.1.
Fixed: Tailscale SSH works as expected when using an IP address instead of a hostname and MagicDNS is disabled.
Fixed: Taildrive folder sharing works correctly even when the su command is not present on the Linux or other Unix-like host.
Fixed: Taildrive files remain consistently accessible.

Linux

New: The system tray application for Linux desktops can be enabled to display some of the GUI options available in other Tailscale clients, including fast user switching and exit node selection.

Windows

New: The existing ExitNodeID=auto:any system policy supports the new ExitNode.AllowOverride policy option that lets users select a different exit node while still requiring exit node usage.

macOS

New: The existing ExitNodeID=auto:any system policy supports the new ExitNode.AllowOverride policy option that lets users select a different exit node while still requiring exit node usage.
New: Windowed UI mode (beta) provides an updated client experience. To test, go to the Settings page of the admin console and toggle Redesigned macOS Client UI. Once enabled, all macOS clients display the new interface.
New: UseSystemProxy default setting to indicate whether Tailscale respects proxy settings defined in System Settings.
New: advertiseExitNode system policy is available on macOS.
Changed: macOS 12 is the minimum supported version.
Fixed: Automatic recommended exit node selection.
Fixed: UI improvements for iOS 26 and macOS 26 compatibility.

iOS

Fixed: UI improvements for iOS 26 and macOS 26 compatibility.

QNAP

Fixed: New QNAP builds are available again. At the time of this release, you can manually download the update from our packages site. After a period of time, the update will also be available in QNAP App Center.

DERP server IP address changes for Singapore

Thu, 11 Sep 2025 00:00:00 GMT

Changed: The IPv4 and IPv6 addresses for the Singapore DERP servers have changed. If you use custom firewall settings that rely on these addresses specifically, refer to the information in our DERP map and make the necessary updates. Otherwise, no action is required.

DERP server IP address changes for Tokyo

Wed, 10 Sep 2025 00:00:00 GMT

Changed: The IPv4 and IPv6 addresses for the Tokyo DERP servers have changed. If you use custom firewall settings that rely on these addresses specifically, refer to the information in our DERP map and make the necessary updates. Otherwise, no action is required.

DERP server IP address changes for Sydney

Tue, 09 Sep 2025 00:00:00 GMT

Changed: The IPv4 and IPv6 addresses for the Sydney DERP servers have changed. If you use custom firewall settings that rely on these addresses specifically, refer to the information in our DERP map and make the necessary updates. Otherwise, no action is required.

Tailscale container image v1.86.5

Fri, 22 Aug 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

Tailscale Kubernetes operator v1.86.5

Fri, 22 Aug 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Fixed: DNS lookup errors that occur when routing traffic for a ProxyGroup of type kube-apiserver while running the API server proxy in high-availability mode.

Tailscale tsrecorder v1.86.5

Fri, 22 Aug 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

DERP server IP address changes for São Paulo

Tue, 19 Aug 2025 00:00:00 GMT

Changed: The IPv4 and IPv6 addresses for the São Paulo DERP servers have changed. If you use custom firewall settings that rely on these addresses specifically, refer to the information in our DERP map and make the necessary updates. Otherwise, no action is required.

Tailscale v1.86.4

Thu, 07 Aug 2025 00:00:00 GMT

Note: v1.86.3 was an internal-only release.

macOS

Changed: EncryptState system policy changes are applied without needing to restart the system extension.
Fixed: Startup crash on a fresh install of the Standalone variant of the client when the EncryptState system policy is enabled.

Android

Fixed: Persistent notifications about the Taildrop directory picker. The notification only displays on the first attempt to use the feature.

Visual policy editor

Tue, 05 Aug 2025 00:00:00 GMT

Updated: Use the visual policy editor to manage your tailnet policy file (beta).

Tailscale container image v1.86.2

Thu, 31 Jul 2025 00:00:00 GMT

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: We previously referred to this as the Tailscale Docker image and now refer to it more generically as the Tailscale container image.

New: Improved direct connectivity to ProxyGroup Pods by using external node IP addresses as static endpoints.
Fixed: Pod-specific state is cleared on start when running in Kubernetes.

Tailscale Kubernetes operator v1.86.2

Thu, 31 Jul 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

New: The first release of Tailscale Kubernetes proxy is available.
New: Record kubectl attach and kubectl debug sessions to tsrecorder.
New: Helm chart outputs suggests next steps after installation.
New: ProxyGroup type kube-apiserver for running the API server proxy in a high-availability mode.
New: ProxyClass can use annotations instead of labels. We recommend using annotations, but labels will continue to work.
New: Custom Ingress class names are supported instead of the default tailscale class name.
New: Static cluster IP for DNSConfig nameservers.
New: Improved direct connectivity to ProxyGroup Pods by using external node IP addresses as static endpoints.
Fixed: Tags passed to Tailscale Kubernetes Services are validated using tailscale.com/tags annotation to validate ACL tags.
Fixed: Kubernetes operator validates that a cluster does not contain more than one Tailscale Kubernetes Service that refers to the same Tailscale Service.
Fixed: Reliability of ProxyGroup proxies when updated and restarted.

Tailscale tsrecorder v1.86.2

Thu, 31 Jul 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale v1.86.2

Tue, 29 Jul 2025 00:00:00 GMT

Note: v1.86.1 was an internal-only release.

All platforms

Fixed: A deadlock issue that may have occurred in the client.
Fixed: An occasional crash when establishing a new port mapping with a gateway or firewall.

macOS

Fixed: Issue preventing the reading of existing state files that may have required device re-approval if device approval is enabled on the tailnet.
Fixed: A spurious warning about uninstalling the system extension when upgrading the client.
Fixed: tailscale syspolicy CLI command output displays correctly when the KeyExpirationNotice or ReconnectAfter system policies are configured.

Windows

Fixed: tailscale syspolicy CLI command output displays correctly when the KeyExpirationNotice or ReconnectAfter system policies are configured.

Tailscale v1.86.0

Thu, 24 Jul 2025 00:00:00 GMT

Note: Tailscale halted the rollout of version 1.86.0 for macOS on July 25, 2025, and for all other platforms on July 28, 2025, due to multiple regressions.

All platforms

New: tsStateEncrypted device posture attribute for checking whether the Tailscale client state is encrypted at rest.
Fixed: Cross-site request forgery (CSRF) issue that may have resulted in a log in error when accessing the web interface.
Fixed: Hostnames are verified as expected when using CONNECT HTTPS proxy to connect to the control plane.
Fixed: Recommended exit node when the previously recommended exit node is offline.

Linux

New: tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any CLI commands track the recommended exit node and automatically switches to it when available exit nodes or network conditions change.
New: tailscaled CLI command flag --encrypt-state encrypts the node state file on the disk using trusted platform module (TPM).

Windows

New: tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any CLI commands track the recommended exit node and automatically switches to it when available exit nodes or network conditions change.
New: EncryptState system policy enforces storing the node state file in encrypted format on disk using trusted platform module (TPM).
Changed: Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switch to it when available exit nodes or network conditions change.
Fixed: AlwaysOn system policy is enforced as expected.
Fixed: System tray icon display a notification when the selected exit node is unavailable.
Fixed: Mullvad exit node picker hides after switching from a profile with Mullvad exit nodes to one without any exit nodes.
Fixed: WDAP/PAC proxy detection on Windows 10 1607 and earlier to ensure successful connectivity when a proxy is required.

macOS

New: tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any CLI commands track the recommended exit node and automatically switches to it when available exit nodes or network conditions change.
New: ReconnectAfter system policy setting, which configures the maximum period of time between a user disconnecting Tailscale and the client automatically reconnecting.
New: EncryptState system policy enforces storing the node state file in the Keychain. The App Store variant of the client always uses the Keychain regardless of this setting.
New: OnboardingFlow system policy enforces the suppression of the onboarding flow that displays when the client is installed. This replaces the deprecated TailscaleOnboardingSeen system policy.
New: Remove all accounts option in the Debug menu.
Changed: TailscaleOnboardingSeen system policy is deprecated. Use the new OnboardingFlow system policy instead.
Changed: Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switch to it when available exit nodes or network conditions change.
Fixed: AlwaysOn system policy is enforced as expected.
Fixed: Shortcut action issues.

iOS

Changed: Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switches to it when available exit nodes or network conditions change.
Fixed: Reset keychain option issues.
Fixed: Shortcut action issues.
Fixed: Taildrop resending issues.

tvOS

Changed: Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switch to it when available exit nodes or network conditions change.

Grafana Cloud integration

Thu, 24 Jul 2025 00:00:00 GMT

New: Securely connect private data sources to Grafana Cloud with Tailscale (beta).

IP changes to Tailscale's control plane

Thu, 17 Jul 2025 00:00:00 GMT

Changed: The domains login.tailscale.com, controlplane.tailscale.com, and api.tailscale.com resolve to static IP address ranges registered and managed by Tailscale. If IP-based rules are required for your firewall, use the IPv4 range 192.200.0.0/24 and the IPv6 range 2606:B740:49::/48.

Note: In most cases, you do not need to configure firewall rules to use Tailscale. For more information, refer to What firewall ports should I open to use Tailscale?

Tailscale v1.84.3

Thu, 26 Jun 2025 00:00:00 GMT

Note: The Tailscale v1.84.3 client release includes fixes for Android TV only, and is exclusively released for Android TV.

Android TV

Fixed: Internal issue.

Tailscale Docker image v1.84.3

Thu, 26 Jun 2025 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

Tailscale GitHub Action fix for headless Windows runners

Thu, 26 Jun 2025 00:00:00 GMT

Fixed: The Tailscale GitHub Action works on headless Windows-based runners for systems that do not have a graphical desktop environment. Previously, running tailscale up would fail on systems such as Windows 11 Arm64 due to the missing --unattended argument required to enable unattended mode.

Tailscale Kubernetes operator v1.84.3

Thu, 26 Jun 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Fixed: Issue in high availability (HA) ingress that prevents the Ingress proxies from issuing TLS certificates on initial startup.

Tailscale tsrecorder v1.84.3

Thu, 26 Jun 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailnet Lock GA

Mon, 23 Jun 2025 00:00:00 GMT

Changed: Tailnet Lock GA (generally available)
- Use Tailnet Lock to require your tailnet to verify new node keys distributed by the coordination server before trusting them.

Tailscale v1.84.2

Mon, 09 Jun 2025 00:00:00 GMT

Windows

Changed: This release is signed with a new code signing certificate. The certificate subject and issuer remain unchanged, but the certificate has a new serial number.

Tailscale Docker image v1.84.2

Mon, 09 Jun 2025 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repository.

Fixed: Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted from stricter CLI arguments parsing introduced in Tailscale v1.84.0.

Tailscale Kubernetes operator v1.84.2

Mon, 09 Jun 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

Fixed: Explicitly specify protocol for Tailscale Services backing HA Ingress.

Tailscale tsrecorder v1.84.2

Mon, 09 Jun 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

App connectors GA

Tue, 03 Jun 2025 00:00:00 GMT

Changed: App connectors GA (generally available)
- Secure your software as a service (SaaS) application connections to your tailnet with app connectors.

Updated UI to prevent accidental tailnet policy file changes

Tue, 03 Jun 2025 00:00:00 GMT

New: Policy file management page in the admin console. Use the Policy file management page to prevent accidental policy file changes.
New: Use the External reference section in the Policy file management page to specify the URL for your GitOps for Tailscale repository.
Changed: We deprecated the GitOps code comment technique for specifying the URL for your GitOps for Tailscale repository. Use the Policy file management page in the admin console instead. If you use both the Policy file management page and the code comment technique, the Policy file management setting has precedence.

Tailscale v1.84.1

Thu, 29 May 2025 00:00:00 GMT

macOS

Fixed: DNS drops when changing networks.

iOS

New: Setting to toggle subnet routing.
Fixed: Issue where Taildrop notifications may not be presented.
Fixed: Issue where subnet routing would default to off.

Android

Fixed: Issue where Mullvad nodes may be listed as tailnet devices.
Fixed: Issue where subnet routing would default to off.
Fixed: Present a modal dialog that explains why you are prompted to select a directory.

Grants GA

Thu, 29 May 2025 00:00:00 GMT

Changed: Use grants to define unified network and application layer access controls (generally available).
- Note: The default tailnet policy file now uses grants syntax instead of the original ACL syntax, but makes no changes to the effective permissions. This applies to all new tailnets and any tailnet policy file that has never been edited.
Changed: Use via to control how traffic routes from a source to a destination, such as through specific exit nodes, subnet routers, or app connectors (generally available).

Tailscale Docker image v1.84.0

Fri, 23 May 2025 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repository.

Note: This version contains no changes except for library updates.

Tailscale Kubernetes operator v1.84.0

Fri, 23 May 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, refer to our installation instructions.

New: Tailscale Ingress resource supports high availability (HA) mode and multiplexing by using a ProxyGroup. You can expose an Ingress resource to a tailnet by using multiple active proxy replicas (Pods). You can multiplex multiple Ingress resources on the same set of proxy Pods.
New: Tailscale Kubernetes Services support HA mode and multiplexing. You can expose a cluster app to a tailnet by using multiple active network layer proxy Pods to help prevent downtime. You can expose multiple apps to a tailnet on the same set of proxy Pods.
New: Tailscale Ingress supports exposing applications deployed across multiple clusters (multi-cluster Ingress) to the tailnet.
New: Pods deployed for a Recorder resource can use AWS IAM Roles for Service Accounts (IRSA) instead of static Amazon S3 credentials by configuring the created ServiceAccount object's name and annotations.
New: Tailscale Kubernetes Services support exposing to tailnet applications that are deployed across multiple clusters (multi-cluster Service).
Changed: Tailscale Kubernetes operator needs to watch EndpointSlice objects at cluster scope, to ensure failover for multi-cluster Service and Ingress resources in cases where there are no healthy backends in one of the clusters.
Fixed: The Kubernetes Operator will default any path left unset on an Ingress resource to the / path.

Tailscale tsrecorder v1.84.0

Fri, 23 May 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale v1.84.0

Wed, 21 May 2025 00:00:00 GMT

All platforms

New: The --reason flag is added to the tailscale down command.
Changed: Tailscale CLI commands throw an error if multiple of the same flag are detected.
Fixed: Network connectivity issues when creating a new profile or switching profiles while using an exit node.

Linux

Fixed: DNS-over-TCP fallback works correctly with upstream servers reachable only via the tailnet.

Windows

New: AlwaysOn.Enabled and AlwaysOn.OverrideWithReason policy settings, which enable and configure a Tailscale client mode where the client stays connected at all times, unless an exception applies.
New: ReconnectAfter policy setting, which configures the maximum period of time between a user disconnecting Tailscale and the client automatically reconnecting.
New: When Always On mode is enabled, Tailscale connects as soon as a user signs in to the device and stays connected, regardless of whether the GUI is running. This enables access to tailnet resources, such as network-mapped drives, earlier in the sign-in process, and can also be used on headless Windows environments.
New: EnableDNSRegistration policy setting, which configures whether Tailscale IP addresses should be registered with Active Directory DNS.
New: The Tailscale GUI starts for all signed-in users when the client is installed.
Fixed: DNS-over-TCP fallback works correctly with upstream servers reachable only via the tailnet.
Fixed: Issue where the Tailscale GUI would not start if the client was installed via Group Policy or mobile device management (MDM) while a user was already signed in.
Fixed: Issue where the Tailscale GUI did not auto-start after a client update.

macOS

New: AlwaysOn.Enabled and AlwaysOn.OverrideWithReason policy settings, which enable and configure a Tailscale client mode where the client stays connected at all times, unless an exception applies.
Changed: ForceEnabled policy setting is deprecated in favor of the AlwaysOn policy setting.
Fixed: DNS-over-TCP fallback works correctly with upstream servers reachable only via the tailnet.
Fixed: Tailscale automatically recreates and/or reactivates its VPN configuration on start.
Fixed: Occasional crash in client during engine updates.
Fixed: Taildrop share sheet displays the correct error page when the tunnel is not connected.
Fixed: Hostname detection is improved in macOS clients running on macOS v15.x.
Fixed: Client (GUI) logs are properly captured and recorded in bug reports.

iOS

New: AlwaysOn.Enabled and AlwaysOn.OverrideWithReason policy settings, which enable and configure a Tailscale client mode where the client stays connected at all times, unless an exception applies.
Changed: ForceEnabled policy setting is deprecated in favor of the AlwaysOn policy setting.
Fixed: Taildrop share sheet displays the correct error page when the tunnel is not connected.
Fixed: Tailscale automatically recreates and/or reactivates its VPN configuration on start.
Fixed: Client (GUI) logs are properly captured and recorded in bug reports.
Fixed: Occasional crash in client during engine updates.

tvOS

Fixed: Tailscale automatically recreates and/or reactivates its VPN configuration on start.
Fixed: Client (GUI) logs are properly captured and recorded in bug reports.
Fixed: Occasional crash in client during engine updates.

Android

New: ReconnectAfter policy setting, which configures the maximum period of time between a user disconnecting Tailscale and the client automatically reconnecting.
Fixed: Issue where Tailscale was disconnecting after excluding apps via split tunneling.

Tailscale Docker image v1.82.5

Mon, 05 May 2025 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Note: This version contains no changes except for library updates.

Tailscale Kubernetes operator v1.82.5

Mon, 05 May 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

Note: This version contains no changes except for library updates.

Programmatic management of OAuth clients

Mon, 05 May 2025 00:00:00 GMT

New: The Keys management APIs and Terraform Provider support managing OAuth clients programmatically.

Tailscale tsrecorder v1.82.5

Mon, 05 May 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Trigger device posture integration for new nodes

Tue, 22 Apr 2025 00:00:00 GMT

New: We made a change to how device posture integrations are scheduled, prioritizing syncing of attributes for new nodes. Tailnets that use device posture integrations should see third-party attributes populated for new nodes faster than before.

Code folding in ACL editor

Mon, 21 Apr 2025 00:00:00 GMT

New: The ACL editor in the Access Controls page of the admin console supports code folding, improving usability when navigating and managing large tailnet policy files. Collapse and expand sections like hosts and groups for a cleaner editing experience.

Tailscale v1.82.5

Thu, 17 Apr 2025 00:00:00 GMT

All platforms

Fixed: A panic issue related to CUBIC congestion control in userspace mode is resolved.

macOS

Fixed: The VPN approval message during the client installation displays as expected.
Fixed: An issue related to the reachability of upstream DNS servers with loopback IPs is resolved.

Windows

Fixed: A service panic issue on the 32-bit version of Windows 10 is resolved.

Tailscale v1.82.4

Tue, 15 Apr 2025 00:00:00 GMT

Note: Tailscale v1.82.4 includes fixes for Android devices only, and is exclusively released for Android. Tailscale v1.82.2 and v1.82.3 were internal-only releases.

Android

Fixed: An issue that might have resulted in the Tailscale app crashing on devices running versions earlier than Android 13 is resolved.

Tailscale GitHub Action for macOS and Windows GA

Wed, 09 Apr 2025 00:00:00 GMT

Changed: Use the Tailscale GitHub Action on macOS and Windows runners (generally available). For more information, see the topic Tailscale GitHub Action.
Changed: The Tailscale GitHub Action supports caching Tailscale binaries when the use-cache input is set to 'true'.

Tailscale Terraform Provider v0.19.0

Wed, 09 Apr 2025 00:00:00 GMT

v0.19.0 of the Tailscale Terraform Provider has been released with the following changes:

Changed: tailscale_logstream_configuration resource supports configuring uploadPeriodMinutes and compressionFormat.

Tailscale Kubernetes Operator session recording

Wed, 02 Apr 2025 00:00:00 GMT

New: Use Tailscale Kubernetes Operator session recording to record kubectl exec session contents when using the Kubernetes API server proxy (beta).

Tailscale Kubernetes Operator GA

Wed, 02 Apr 2025 00:00:00 GMT

Changed: Tailscale Kubernetes Operator GA (generally available).
- Use the Kubernetes Operator to integrate Tailscale with Kubernetes clusters.

Tailscale Docker image v1.82.0

Mon, 31 Mar 2025 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Changed: Alpine image is updated to version 3.19.

Tailscale Kubernetes operator v1.82.0

Mon, 31 Mar 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

New: Ingress TLS certificates can be issued from Let's Encrypt's staging environment to avoid bumping into rate limits during initial setup. See our GitHub documentation on ProxyClass APIs to learn more.
Changed: Alpine image is updated to version 3.19.

Tailscale tsrecorder v1.82.0

Mon, 31 Mar 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale v1.82.1

Thu, 27 Mar 2025 00:00:00 GMT

Note: v1.82.1 includes fixes for Android devices only, and is exclusively released for Android.

Android

New: Device search is available on Android TV running Android 13 or later.
New: Enhanced device search UI is available on all devices running Android 13 or later.

Tailscale v1.82.0

Wed, 26 Mar 2025 00:00:00 GMT

All platforms

New: DERP functionality within the client supports certificate pinning for self-signed IP address certificates for those unable to use Let's Encrypt or WebPKI certificates.
Changed: Go is updated to version 1.24.1
Changed: NAT traversal code uses the DERP connection that a packet arrived on as an ultimate fallback route if no other information is available, in the event of a slow or misbehaving server.
Fixed: Captive portal detection reliability is improved on some in-flight Wi-Fi networks, including British Airways and WestJet.
Fixed: Port mapping success rate is improved by retrying in additional error cases.
Fixed: Web interface setting changes occur as expected and without error.

macOS

Changed: The .pkg installer size is decreased by 35%.
Fixed: Memory leak issue related to shortcuts is resolved.
Fixed: MagicDNS intermittent configuration failures no longer occur when waking from sleep.
Fixed: Seamless key renewals occur as expected, ensuring the client remains connected.

iOS

Fixed: Memory leak issue related to shortcuts is resolved.
Fixed: MagicDNS intermittent configuration failures no longer occur when waking from sleep.

Android

Note: The Android client release for v1.82.0 was delayed and moved into the v1.82.1 client release instead.

App connectors

Fixed: Port mapping success rates for app connectors are improved.

Tailscale GitHub Action support for Windows and macOS

Thu, 13 Mar 2025 00:00:00 GMT

New: The Tailscale GitHub Action supports running on Windows runners (beta).
New: The Tailscale GitHub Action supports running on macOS runners (beta).

Admin console session timeout update

Fri, 07 Mar 2025 00:00:00 GMT

Fixed: An issue related to admin console sessions remaining active longer than the configured console session inactivity timeouts (TS-2025-001).

Helsinki DERP region

Wed, 05 Mar 2025 00:00:00 GMT

New: Helsinki is added as a DERP region.

Tailscale promo codes for plan upgrades

Wed, 05 Mar 2025 00:00:00 GMT

New: Promo codes can be applied when upgrading to a Tailscale paid plan in the Billing page of the admin console. While upgrading your plan, go to the Upgrading to section and select Apply promo code. For more information, see Pricing & Plans FAQ.

Tailscale v1.80.3

Tue, 04 Mar 2025 00:00:00 GMT

Linux

Fixed: Web interface setting changes occur as expected and without error.

App connectors

Fixed: App connectors respond to DNS queries and update routes without failure. Previously, DNS resolution failures may have occurred due to a routing deadlock issue.

Tailscale Docker image v1.80.3

Tue, 04 Mar 2025 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Note: This version contains no changes except for library updates.

Tailscale Kubernetes operator v1.80.3

Tue, 04 Mar 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

Note: This version contains no changes except for library updates.

Tailscale tsrecorder v1.80.3

Tue, 04 Mar 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale Terraform Provider v0.18.0

Wed, 26 Feb 2025 00:00:00 GMT

v0.18.0 of the Tailscale Terraform Provider has been released with the following changes:

Changed: The tailscale_logstream_configuration resource can now manage streaming to Amazon S3 and S3-compatible services
Changed: The tailscale_tailnet_key resource can now be imported.
New: Added a reset_acl_on_destroy property to the tailscale_acl resource which optionally allows for resetting the Tailscale policy file to its default when the resource is destroyed.

Ashburn and Nuremberg DERP regions

Thu, 13 Feb 2025 00:00:00 GMT

New: Ashburn and Nuremberg are added as DERP regions. We added them December 5, 2024, and apologize for the late notice.

Tailscale v1.80.2

Thu, 13 Feb 2025 00:00:00 GMT

All platforms

Fixed: Nodes could lose the display names of owners of peers in rare cases. This had manifested in missing names in tailscale status and could prevent incoming Tailscale SSH connections from being accepted. The behavior is reverted to that of v1.78.x and earlier.

Linux

Fixed: SSH clients that skip the none auth method and immediately try publickey can connect to Tailscale SSH as expected. The behavior is reverted to that of v1.78.x and earlier.

macOS

Fixed: SSH clients that skip the none auth method and immediately try publickey can connect to Tailscale SSH as expected. The behavior is reverted to that of v1.78.x and earlier.

FreeBSD

Fixed: SSH clients that skip the none auth method and immediately try publickey can connect to Tailscale SSH as expected. The behavior is reverted to that of v1.78.x and earlier.

Country device posture attribute GA

Fri, 07 Feb 2025 00:00:00 GMT

Changed: Use ip:country as a geolocation device posture attribute (generally available).

Tailscale v1.80.1

Thu, 06 Feb 2025 00:00:00 GMT

macOS

Fixed: System extension uninstalled message no longer appears erroneously when removing third-party system extensions while Tailscale is running.
Fixed: Resolved an issue that could have caused the network extension to crash in rare cases while parsing the macOS routing table.

iOS

Fixed: Resolved an issue that could have caused the network extension to crash in rare cases while parsing the iOS routing table.

tvOS

Fixed: Resolved an issue that could have caused the network extension to crash in rare cases while parsing the tvOS routing table.

Tailscale Docker image v1.80.0

Mon, 03 Feb 2025 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Changed: TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.
Fixed: Tailscale Funnel configuration on devices displays errors when incoming connections are not permitted and connections are disallowed.
Fixed: Tailscale Funnel disabled on a device no longer displays as enabled in the admin console.
Fixed: Serve config provided using the TS_SERVE_CONFIG environment variable successfully loads for tailnets with HTTPS disabled, as long as the serve config does not define an HTTPS endpoint.

Tailscale Kubernetes operator v1.80.0

Mon, 03 Feb 2025 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

New: The optional ServiceMonitor created for the proxy metrics endpoints can be labelled with user-specified labels.
New: Proxies created for the Kubernetes Operator dynamically reload the tailscaled configuration when it has changed. Changes such as a hostname might mean slightly slower change propagation (up to a minute), but less downtime.
Changed: TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.
Fixed: Improved failover for egress ProxyGroup replicas. Replica restarts no longer cause downtime for cluster workloads that access tailnet targets using egress ProxyGroup.

Tailscale tsrecorder v1.80.0

Mon, 03 Feb 2025 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Changed: TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.

Tailscale v1.80.0

Thu, 30 Jan 2025 00:00:00 GMT

All platforms

New: Hostname system policy is added for overriding the device hostname configured by the operating system, using an MDM solution.
Changed: tailscale configure CLI command and corresponding subcommands are no longer in alpha, except for the subcommand kubeconfig, which remains in alpha.
Fixed: Web interface displays a Login button instead of the Reauthenticate button when adding a new device to your tailnet.
Fixed: Tailscale Funnel configuration on devices displays errors when incoming connections are not permitted and connections are disallowed.
Fixed: Connections to a custom coordination server that does not support HTTPS will no longer fail when a custom port number is specified.

Linux

Changed: TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.
Fixed: Tailscale Funnel disabled on a device no longer displays enabled in the admin console.

Windows

New: Onboarding flow is added for easier initial setup of the app.
Changed: TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.
Fixed: Client installs as expected when using Group Policy Software Installation (GPSI).
Fixed: Race conditions that result in an incorrect state or a deadlock no longer cause issues when multiple Windows users are logged in simultaneously.

macOS

New: configure sysext activate, configure sysext deactivate, and configure sysext status CLI commands are added to the Standalone variant for managing the activation flow of the macOS system extension programmatically.
New: Standalone variant detects if the system extension is manually disabled or uninstalled by the user and displays a notice in the client UI.
New: Flush DNS Cache option is added to the Debug menu.
Changed: TLS certificate requests from Let’s Encrypt include the device's DNS name in the CSR’s SAN extension and set the Common Name field.
Fixed: App preferences re-set configures Use Tailscale Subnets to On and Allow Incoming Connections to Off as these are the default settings.
Fixed: Find Devices shortcut action no longer hangs.
Fixed: Standalone variant works as expected when users are not members of staff macOS user group.

iOS

New: Auth keys can be used for connecting to a custom coordination server.
Changed: VPN extension no longer runs when logging out.
Fixed: Find Devices shortcut action no longer hangs.

tvOS

New: Auth keys are supported for authenticating an Apple TV in your tailnet.
New: Auth keys can be used for connecting to a custom coordination server.
Changed: VPN extension no longer runs when logging out.

Android

New: Devices can be configured as a subnet router in the Settings menu of the app.

GitHub username change automatically updates tailnet name

Wed, 29 Jan 2025 00:00:00 GMT

Changed: When a user changes their GitHub username used to authenticate to a GitHub personal tailnet, upon next Tailscale login their tailnet name will automatically be renamed. This is a change from the previous behavior, which required the user to file a request with the Tailscale support team to rename the tailnet.

4via6 subnet routers GA

Mon, 27 Jan 2025 00:00:00 GMT

Changed: Use 4via6 subnet routers to route traffic when you have existing subnets with overlapping IPv4 addresses (generally available).

Auto approvers GA

Mon, 27 Jan 2025 00:00:00 GMT

Changed: Use auto approvers to auto-approve advertised subnet routes and exit nodes (generally available).

Node attributes GA

Mon, 27 Jan 2025 00:00:00 GMT

Changed: Configure different NextDNS profiles for different devices using nodeAttrs (generally available).

Download invoices GA

Mon, 27 Jan 2025 00:00:00 GMT

Changed: Download invoices for your Tailscale account in the Billing page of the admin console (generally available).

Fast user switching GA

Mon, 27 Jan 2025 00:00:00 GMT

Changed: Use fast user switching to quickly switch between two or more logged-in accounts on the same device, without requiring you to re-authenticate (generally available).

Configuration log streaming integration with S3 buckets GA

Mon, 27 Jan 2025 00:00:00 GMT

Changed: Stream configuration audit logs to Amazon S3 and S3-compatible services (generally available).

Network flow log streaming integration with S3 buckets GA

Mon, 27 Jan 2025 00:00:00 GMT

Changed: Stream network flow logs to Amazon S3 and S3-compatible services (generally available).

NextDNS profiles per device GA

Mon, 27 Jan 2025 00:00:00 GMT

Changed: Use different NextDNS profiles for different devices (generally available).

GitHub secret scanning

Wed, 22 Jan 2025 00:00:00 GMT

New: GitHub secret scanning supports detecting and revoking leaked Tailscale secrets.

Tailscale v1.78.3

Fri, 13 Dec 2024 00:00:00 GMT

Note: Tailscale v1.78.2 was an internal-only release.

Containers

Fixed: Unit test that would previously fail if run in a container.

iOS

Fixed: Advanced DNS Settings view unexpectedly dismissed on iPhone.

Android

Fixed: Work in progress search bar is hidden behind a flag until the feature is ready.

Tailscale Docker image v1.78.3

Thu, 12 Dec 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Fixed: A nil pointer exception when serve config is provided via the TS_SERVE_CONFIG environment variable.

Tailscale Kubernetes operator v1.78.3

Thu, 12 Dec 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

Note: This version contains no changes except for library updates.

Mullvad exit nodes with trial tailnets

Thu, 12 Dec 2024 00:00:00 GMT

Changed: The Mullvad exit nodes add-on can be purchased for tailnets that are in trial mode.

Note: Purchasing the Mullvad exit nodes add-on for your trial tailnet will result in changes requiring action. For more information, see the Pricing & Plans FAQ topic.

Tailscale tsrecorder v1.78.3

Thu, 12 Dec 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Device posture integrations GA

Wed, 11 Dec 2024 00:00:00 GMT

Changed: Device posture integrations GA (generally available)
- Restrict device access with Tailscale device posture management and additional GA integrations: Jamf Pro, Kandji, Microsoft Intune, and SentinelOne.

Tailscale Docker image v1.78.1

Tue, 10 Dec 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

New: All Tailscale container images are annotated with Open Container Initiative (OCI) annotations.
Fixed: Clients should more accurately detect whether they are in a container when checking for updates.

Tailscale Kubernetes operator v1.78.1

Tue, 10 Dec 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

New: Tailscale client metrics can be enabled using a ProxyClass with the .spec.metrics.enable field set.
New: All Tailscale container images are annotated with Open Container Initiative (OCI) annotations.
New: ProxyClass supports configuring topology spread constraints for the Proxy Pods.
New: Connector Custom Resource Definition (CRD) can be used to configure the Kubernetes Operator to deploy a Tailscale app connector on Kubernetes.
New: Tailscale running on Kubernetes and using a Kubernetes Secret as a state store writes Kubernetes Events to its Pod when changes occur to the state stored in the Kubernetes Secret. The same is true when there are errors related to reading or writing the state. This should help debugging issues related to transient errors when talking to the Kubernetes API server to retrieve or update the state Secret.
New: Kubernetes Operator can optionally create a Prometheus ServiceMonitor for proxy resources that have Tailscale client metrics enabled.
New: Container Storage Interface (CSI) driver volume for the operator's OAuth client credentials can be configured by using Helm values.
New: Kubernetes Ingress has clearer warnings if it has been deployed to a tailnet that has no HTTPS enabled. Specifically, a new warning in proxy logs and empty hostname on the Ingress status.
Changed: tailscale.com/tailnet-ip annotation is validated that it holds a valid IP address.
Changed: Timeout for Kubernetes API server calls for reading/updating tailscaled state stored in a Kubernetes Secret has been changed from 5 seconds to the total of 30 seconds for the read/update operation and an operation to emit an Event about the state update. This should reduce errors related to slow API server connections.
Changed: The ProxyClass field .spec.metrics.enable enables metrics at both /metrics and /debug/metrics, but /debug/metrics is deprecated. Users relying on /debug/metrics need to set .spec.statefulSet.pod.tailscaleContainer.debug.enable (which is a new field in Tailscale 1.78.1) until Tailscale 1.82.0 releases. When 1.82.0 releases, /metrics and /debug/metrics will both independently default to false.
Changed: Kubernetes operator proxy containers created for ingress and egress Service resources, Connectors and ProxyGroups are privileged. This is needed because of recent changes in containerd. For more context, see tailscale/tailscale/pull/14262.
Fixed: Tailscale running on Kubernetes reads its state from a Secret only once, and that is upon initial start. This should reduce bugs caused by transient issues when connecting to the Kubernetes API server as well as reduce the load on the API server and improve latency for state operations.
Fixed: Kubernetes Egress Service ports for ProxyGroup can be changed from a single unnamed port to one or more named ports.
Fixed: Clients should more accurately detect whether they are in a container when checking for updates.

Tailscale tsrecorder v1.78.1

Tue, 10 Dec 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

New: All Tailscale container images are annotated with Open Container Initiative (OCI) annotations.
Fixed: Clients should more accurately detect whether they are in a container when checking for updates.

Tailscale v1.78.1

Thu, 05 Dec 2024 00:00:00 GMT

All platforms

Fixed: Issue which resulted in an unwanted change in source code line endings.

Tailscale v1.78.0

Thu, 05 Dec 2024 00:00:00 GMT

All platforms

New: Client metrics have been added, to provide insights into Tailscale client behavior, health, and performance.
New: tailscale metrics command has been added, to expose and collect client metrics for use with third-party monitoring systems.
New: tailscale syspolicy command has been added, to list system policies, reload system policies, or view errors related to the system policies configured on the device.
Changed: Tailscale system policies are applied immediately when pushed via mobile device management (MDM) or Group Policy, without requiring a client restart.
Fixed: Tailscale SSH session recording detects the disappearance of the recorder node sooner. This fix addresses a security vulnerability described in TS-2024-013.

Windows

Changed: UI customization system policies are configurable for both devices and users.

macOS

New: UI to configure custom DNS servers to use for Tailscale-bound traffic when Tailscale DNS is disabled in settings.
New: The macOS configuration report diagnostic tool can collect a larger amount of diagnostics when requested by Tailscale support. This includes system and process logs on the Standalone variant.
New: Update Available notifications include a link to the client changelog.
Changed: On macOS Sequoia, in System Settings.app > Login Items & Extension, Tailscale is listed as Tailscale Network Extension instead of IPNExtension, to reduce user confusion.
Fixed: Performance optimizations reduce CPU and memory usage when parsing network maps, especially for users on larger and busy tailnets.
Fixed: Performance optimizations at the UI layer reduce flickering of the menus, especially for users on larger and busy tailnets where the contents of the network map change very frequently.
Fixed: Error messages displayed when failing to toggle a setting are improved and easier to understand.

iOS

New: UI to configure custom DNS servers to use for Tailscale-bound traffic when Tailscale DNS is disabled in settings.
New: On iPhones and iPads running iOS 18, the VPN can be toggled from Control Center. Hold down in an empty space to add the Tailscale Control.

tvOS

New: UI to configure custom DNS servers to use for Tailscale-bound traffic when Tailscale DNS is disabled in settings.

Android

New: Authentication by using a generated code is available for Android TV users.
New: Search bar shows suggestions.
Fixed: The default avatar displays if the user has no profile picture.
Fixed: False positive health warnings in the UI are reduced.
Fixed: Health warnings are no longer displayed in the UI after stopping Tailscale.
Fixed: Crashes when sharing a file using Taildrop from another Android app are reduced.
Fixed: UI padding of the main app toolbar is improved.

Country device posture attribute

Wed, 27 Nov 2024 00:00:00 GMT

New: ip:country has been added as a device posture attribute (beta).

New and more granular OAuth scopes

Thu, 14 Nov 2024 00:00:00 GMT

Changed: New scopes for OAuth clients have been added with more granular permissions. Existing OAuth clients using the previous set of scopes, and keys generated using these clients, are still valid.

Tailscale Docker image v1.76.6

Fri, 08 Nov 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Changed: Logging for when clients move home DERP regions is improved.
Fixed: Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

Tailscale Kubernetes operator v1.76.6

Fri, 08 Nov 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

Changed: Logging for when clients move home DERP regions is improved.
Fixed: Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

Log streaming integration with S3 buckets

Fri, 08 Nov 2024 00:00:00 GMT

New: Tailscale network flow logs and configuration audit logs can now be streamed to Amazon S3 and S3-compatible services (beta).

Tailscale tsrecorder v1.76.6

Fri, 08 Nov 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Changed: Logging for when clients move home DERP regions is improved.
Fixed: Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

Tailscale v1.76.6

Wed, 06 Nov 2024 00:00:00 GMT

Note: v1.76.4 and v1.76.5 were internal-only releases.

All platforms

Updated: Logging for when clients move home DERP regions is improved.
Fixed: Tailscale clients no longer move their home DERP server prematurely in response to unusual latency at very specific times.

Android

Fixed: Android app no longer terminates unexpectedly when performing network transitions.

User approval and Invite any user GA

Tue, 05 Nov 2024 00:00:00 GMT

Changed: User approval GA (generally available)
Changed: Invite any user GA

1Password XAM device posture integration GA

Thu, 24 Oct 2024 00:00:00 GMT

Changed: 1Password Extended Access Management (XAM) GA (generally available)
- Restrict device access with 1Password XAM (formerly known as Kolide) and Tailscale device posture management.

Tailscale v1.76.3

Mon, 21 Oct 2024 00:00:00 GMT

Note: v1.76.3 includes fixes for Windows devices only, and is exclusively released for Windows.

Windows

Fixed: Mullvad VPN submenu no longer fails to populate with Mullvad exit nodes if there aren't any non-Mullvad exit nodes in the tailnet.

Tailscale v1.76.2

Thu, 17 Oct 2024 00:00:00 GMT

Note: v1.76.2 includes fixes for Android TV devices only, and is exclusively released for Android.

Android

Changed: D-Pad navigation is optimized in the Tailscale app on Android TV devices.

Tailscale v1.76.1

Wed, 16 Oct 2024 00:00:00 GMT

All platforms

Fixed: tailscale netcheck CLI command no longer crashes when performing diagnostics on networks lacking UDP connectivity.
Fixed: Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node.

Linux

Fixed: dbus login sessions no longer fail on systems where /bin/login is missing.

Android

Fixed: Android application no longer crashes in certain configurations when editing the app-based split tunneling settings.

Tailscale Docker image v1.76.1

Wed, 16 Oct 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Note: This version contains no changes except for library updates.

Google Workspace integration GA

Wed, 16 Oct 2024 00:00:00 GMT

Changed: User & group provisioning for Google Workspace GA (generally available)
- Sync Google Workspace groups and users to use in your Tailscale ACLs.

Tailscale Kubernetes operator v1.76.1

Wed, 16 Oct 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

New: Tailnet services can be exposed to cluster workloads on multiple proxy replicas using a ProxyGroup. It's also possible to expose multiple tailnet services on a single set of ProxyGroup replicas.
Fixed: Single use proxy auth keys no longer persist in the state Secrets after the proxies have logged in. This should fix an issue where, in some edge cases, the leftover keys were causing the proxies to attempt to re-authenticate after Pod restart.

Tailscale tsrecorder v1.76.1

Wed, 16 Oct 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Changed: State directory can be set with the TS_STATE_DIR environment variable. The state directory also defaults to /tmp/ for all tsrecorder installations that explicitly set the statefile location.

Tailscale v1.76.0

Thu, 10 Oct 2024 00:00:00 GMT

All platforms

Fixed: Clients lacking UDP connectivity no longer skip performing fallback latency measurements with DERP servers.
Fixed: Warnings no longer display unnecessarily.
Fixed: Tailscale connectivity on flights using Inflight Internet Wi-Fi (such as Alaska Airlines) no longer fails.
Fixed: Service-related processes no longer run unnecessarily when services are disabled on the tailnet.
Fixed: Error messages include explanations in addition to the HTTP status code.

Linux

New: Tailscale SSH supports sending environment variables to hosts. It's also possible to specify permitted environment variables using the acceptEnv field.
Fixed: Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when resizing the application window.

Windows

Fixed: Ping messages sent through subnet routers to unreachable hosts no longer generate ping responses.

macOS

New: Tailscale SSH supports sending environment variables to hosts. You must specify permitted environment variables using the acceptEnv field.
New: Tailscale .pkg installer for the standalone variant prevents potential conflicts by showing a warning if it detects a Homebrew install of Tailscale.
New: Bug report view shows a warning if Tailscale detects that Cloudflare WARP is installed. Some Cloudflare WARP configurations conflict with Tailscale.
Fixed: DNS settings no longer improperly set when keys expire or Tailscale stops.

iOS

Changed: Battery usage is improved when MagicDNS is enabled. The improvement comes from adjusting the timeout of DNS over HTTPS (DoH) for idle connections and requiring a TLS 1.3 handshake when establishing a connection with the DoH server.
Fixed: DNS settings no longer improperly set when keys expire or Tailscale stops.

tvOS

Fixed: DNS settings no longer improperly set when keys expire or Tailscale stops.

Android

New: Account switcher displays the server hostname if the account uses a custom coordination server.
Changed: Battery usage is improved when MagicDNS is enabled. The improvement comes from adjusting the timeout of DNS over HTTPS (DoH) for idle connections and requiring a TLS 1.3 handshake when establishing a connection with the DoH server.
Fixed: Quick tile toggle no longer fails to turn on Tailscale if Tailscale had been manually disconnected before it was last shut down.

Personal Plus pricing plan

Thu, 03 Oct 2024 00:00:00 GMT

New: The Personal Plus pricing plan offers the same features as the Personal plan with up to 6 users for a flat rate. For details about billing, plan comparison, and support, see Pricing & Plans FAQ.

Tailscale v1.74.2

Wed, 02 Oct 2024 00:00:00 GMT

Tailscale v1.74.2 addresses an issue for iOS, and is exclusively released for that platform.

iOS

Fixed: The Tailscale app launches as expected when Wi-Fi Calling on This iPhone is enabled in the iOS Cellular settings.

Tailnet deletion

Wed, 02 Oct 2024 00:00:00 GMT

Changed: Tailnets containing multiple users can be deleted from the admin console without first deleting the users manually.

Parameters added to Set custom device posture attributes endpoint

Fri, 27 Sep 2024 00:00:00 GMT

New: The optional expiry and comment parameters have been added to the Set custom device posture attributes endpoint of the device posture attribute API.

Tailscale v1.74.1

Wed, 18 Sep 2024 00:00:00 GMT

Tailscale v1.74.1 addresses issues for Linux and Android, and is exclusively released for those platforms.

Linux

Fixed: Linux-only NAT traversal optimization added in v1.74.0 is now disabled following a bug report. The behavior is reverted to that of v1.72.x and earlier and will be re-added in a future release.

Android

Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.

Fixed: Device network change detection is improved to reflect accurate Tailscale DNS configuration updates.
Fixed: System policies for the Android client on ChromeOS work as expected.

Tailscale Docker image v1.74.1

Wed, 18 Sep 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Note: This version contains no changes except for library updates.

Tailscale Kubernetes operator v1.74.1

Wed, 18 Sep 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

New: Recorder CRD (custom resource) is added for deploying the Tailscale tsrecorder to Kubernetes.
New: Default ProxyClass can now be specified for the Kubernetes Operator proxies. If you are using Helm, the default ProxyClass can be configured in the proxyConfig.defaultProxyClass Helm value or set using PROXY_DEFAULT_CLASS environment variable.
Fixed: Wildcards in RBAC role definitions are replaced with exact verbs.

Tailscale tsrecorder v1.74.1

Wed, 18 Sep 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Note: This version contains no changes except for library updates.

Tailscale Terraform Provider v0.17.0

Fri, 13 Sep 2024 00:00:00 GMT

v0.17.0 of the Tailscale Terraform Provider has been released with the following changes:

Resources

New: Manage webhooks with tailscale_webhook.
New: Manage contact preferences with tailscale_contacts.
New: Manage device posture integrations with tailscale_posture_integration.
New: Manage log streaming with tailscale_logstream_configuration.
New: Manage Tailnet settings with tailscale_tailnet_settings.
Fixed: Changing the domain attribute for tailcale_dns_split_nameservers now properly removes the previous domain value.

Data Sources

New: Fetch information for multiple users with tailcale_users.
New: Fetch information for a specific user with tailscale_user.

Tailscale v1.74.0

Thu, 12 Sep 2024 00:00:00 GMT

All platforms

New: AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution.
New: tailscale dns CLI command is added for accessing Tailscale DNS settings and status.
Changed: Go is updated to version 1.23.1.
Fixed: Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth.
Fixed: Log In option in the client works as expected.

Linux

New: TCP generic receive offload (GRO) support is added for improved userspace mode throughput.
Changed: TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1.

Windows

Fixed: The client no longer connects to a tailnet automatically when restarting or switching profiles.
Fixed: Profiles created as Local System with Unattended Mode enabled are retained after a reboot.

macOS

Changed: The open-source variant of the Tailscale client can now read the system DNS configuration to provide DNS resolution when tailscale set -—accept-dns or tailscale up -—accept-dns is enabled and the Override local DNS option in the DNS page of the admin console is disabled.
Fixed: DNS resolution continues to work after a key expires.

tvOS

New: The ping feature allows you to observe connectivity performance between your Apple TV and other devices in your tailnet.

Android

Note: The Android client release for v1.74.0 was delayed and moved into the v1.74.1 client release instead.

Fixed: Tailscale DNS works as expected when switching between Wi-Fi and cellular networks.
Fixed: System policies for the Android client on ChromeOS work as expected.

MAC addresses matching in CrowdStrike Falcon

Wed, 11 Sep 2024 00:00:00 GMT

New: Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses.

Tailscale v1.72.2

Mon, 26 Aug 2024 00:00:00 GMT

Tailscale v1.72.2 addresses issues for macOS, iOS, and tvOS, and is exclusively released for those platforms.

macOS

Fixed: An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.
Fixed: An issue that could prevent Tailscale from automatically launching at login on some Macs is fixed.

iOS

Fixed: An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.

tvOS

Fixed: An issue that could trigger a VPN permission prompt when starting Tailscale while another VPN app was already active is fixed.

Configurable session timeouts

Fri, 23 Aug 2024 00:00:00 GMT

New: Admin console session timeouts from inactivity are now configurable from the User Management Settings page of the admin console.

Tailscale v1.72.1

Thu, 22 Aug 2024 00:00:00 GMT

Tailscale v1.72.1 addresses a Linux-specific issue, and is exclusively released for the Linux platform and containers.

Linux

Changed: TCP generic segmentation offload (GSO) support for userspace mode is removed.
Fixed: DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

Tailscale Docker image v1.72.1

Thu, 22 Aug 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

Fixed: DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

Tailscale Kubernetes operator v1.72.1

Thu, 22 Aug 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

Fixed: DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

Tailscale tsrecorder v1.72.1

Thu, 22 Aug 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Fixed: DNS over TCP failures when querying the Tailscale-internal resolver are fixed.

Tailscale Docker image v1.72.0

Wed, 21 Aug 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

New: An HTTP health check endpoint at /healthz can be enabled by setting TS_HEALTHCHECK_ADDR_PORT to [addr]:port.

Tailscale Kubernetes operator v1.72.0

Wed, 21 Aug 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see installation instructions.

New: Additional environment variables can now be passed for the Kubernetes Operator deployment via Helm chart options.
Fixed: DNSConfig CRD reconcile logic is fixed for dual-stack clusters.

Tailscale tsrecorder v1.72.0

Wed, 21 Aug 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Fixed: Running without HTTPS is now allowed when UI is disabled.

Tailscale v1.72.0

Mon, 19 Aug 2024 00:00:00 GMT

All platforms

New: Captive portal detection is now supported.
New: The tailscale cert command now contains the --min-validity flag. Use this flag to request a specified minimum remaining validity on the returned certificate. This flag is intended for automation, like cron jobs, that periodically refreshes certificates.
New: The tailscale lock command now supports passing keys as files. To pass a key as a file, use the prefix file: followed by the path to the file: file:<path-to-key-file>.
Changed: A health warning is now raised if Tailscale is unable to forward DNS queries to the configured resolvers.
Changed: An increase in send and receive buffer sizes for userspace mode TCP improves throughput over high latency paths.

Linux

New: The addition of TCP generic segmentation offload (GSO) support to userspace mode improves throughput.

macOS

Note: macOS 10.15 Catalina is no longer supported. See the v1.60.0 changelog for our initial end of life announcement.

New: Notifications are sent when a captive portal is detected.
Fixed: Health warnings in the UI are now sorted by their severity level.
Fixed: Reliability of the authentication process when launching the web browser is improved.
Fixed: The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.

iOS

New: Notifications are sent when a captive portal is detected.
New: Health warnings are displayed when connectivity is impacted.
Fixed: An error message is displayed while attempting to start the VPN when both Wi-Fi and cellular interfaces are down, instead of failing silently.
Fixed: The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.

tvOS

New: Notifications are sent when a captive portal is detected.
Fixed: The VPN tunnel is no longer automatically restarted if toggling Tailscale from the system VPN settings without disabling VPN On Demand first.

Android

New: Health warnings, if any are present, are displayed in the main view of the app.

Via in Access Control Previews

Thu, 15 Aug 2024 00:00:00 GMT

New: Access control policies using via are included in the Preview rules tab of the Access Controls page of the admin console.

Microsoft Entra ID SCIM GA

Tue, 13 Aug 2024 00:00:00 GMT

Changed: User & group provisioning for Microsoft Entra ID GA (generally available)
- Sync Microsoft Entra ID groups and users to use in your Tailscale ACLs.

Autogroups allowed as SSH source in ACLs

Thu, 08 Aug 2024 00:00:00 GMT

New: SSH src in ACL rules supports all role-based autogroups.

New device posture integrations

Fri, 02 Aug 2024 00:00:00 GMT

New: 1Password XAM is available as a device posture integration (beta)
New: Jamf Pro is available as a device posture integration (beta)
New: Kandji is available as a device posture integration (beta)
New: Microsoft Intune is available as a device posture integration (beta)
New: SentinelOne is available as a device posture integration (beta)

Control D integration

Thu, 25 Jul 2024 00:00:00 GMT

New: Control D DNS is available as a global nameserver in your tailnet.

New API endpoints

Mon, 22 Jul 2024 00:00:00 GMT

We have added the following endpoints to Tailscale's public API:

Tailscale Docker image v1.70.0

Mon, 22 Jul 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

New: Egress proxies specified by an FQDN now work also for IPv6-only network stacks.

Tailscale Kubernetes operator v1.70.0

Mon, 22 Jul 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

New: Egress proxies specified by an FQDN now work also for IPv6-only network stacks.
New: Tailscale Service status now includes a custom Tailscale proxy status condition.
New: Optionally record kubectl exec sessions.
Fixed: Cluster resources for failed egress proxies are now correctly cleaned up when the parent Service is deleted.

Tailscale tsrecorder v1.70.0

Mon, 22 Jul 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

Fixed: tsrecorder now plays session recordings for interactive sessions initiated by a command that explicitly specifies shell.

Tailscale v1.70.0

Wed, 17 Jul 2024 00:00:00 GMT

All platforms

New: Restrict recommended and automatically selected exit nodes using the new AllowedSuggestedExitNodes system policy. Applies only to platforms that support system policies.
Changed: Improved NAT traversal for some uncommon scenarios.
Changed: Optimized sending firewall rules to clients more efficiently.
Fixed: Exit node suggestion CLI command now prints the hostname (which you can use with the tailscale set command).
Fixed: Taildrive share paths configured through the CLI resolve relative to where you run the tailscale command.

Linux

Fixed: Switching from unstable to stable tracks using the tailscale update command now works correctly.

Windows

New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
New: The new AllowedSuggestedExitNodes system policy restricts which exit nodes Tailscale recommends or automatically selects.
Fixed: DNS leak issue.
Fixed: Switching from unstable to stable tracks using the tailscale update command now works correctly.
Fixed: Taildrive server no longer starts unnecessarily when no drives are configured.

macOS

Note: As previously announced, Tailscale v1.70 is the last version to support macOS 10.15 Catalina. macOS 10.15 is no longer supported by Apple and no longer receives security updates. Users still running macOS 10.15 should update to a newer version of macOS to continue receiving security updates and new features.

New: Toggle Tailscale DNS from Siri or the Shortcuts app.
New: Receive health notifications in the client menu on macOS to inform you about lack of internet connectivity, firewalls blocking Tailscale, misconfiguration issues, and other issues. Health issues that affect connectivity also change the Tailscale icon in the system menubar to show an exclamation mark.
New: On MacBooks with a notch in the display, a notification window will now appear if the Tailscale icon is hidden behind the notch due to too many menubar items.
New: The Tailscale client now warns you when the built-in macOS content filter (Screen Time) prevents Tailscale from connecting.
New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
Changed: The exit node picker no longer presents exit node suggestions if the organization enforces always using the suggested exit node using the ExitNodeID system policy.
Fixed: Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
Fixed: Taildrive server no longer starts unnecessarily when no drives are configured.
Fixed: Increased the reliability of the Install Updates Automatically setting.

iOS

New: Toggle Tailscale DNS from Siri or the Shortcuts app.
New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
Fixed: wireguard-go memory pool deadlock issue is resolved.
Fixed: Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
Fixed: User interface no longer flickers when selecting an exit node.

tvOS

New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
Fixed: wireguard-go memory pool deadlock issue is resolved.
Fixed: User interface no longer flickers when selecting an exit node.

Android

New: Access ping information and connection status by long-pressing on a device in the devices list and selecting Ping.
New: Use split tunneling to force or exclude app traffic through your tailnet.
Fixed: wireguard-go memory pool deadlock issue is resolved.

Indent has shut down

Mon, 15 Jul 2024 00:00:00 GMT

New: Indent shut down their service effective July 15, 2024. If you were using Indent with your Tailscale network, migrate to another on-demand access system or Tailscale's just-in-time accessbot (alpha), or otherwise turn off your Indent integration with Tailscale.

Plan enrollment changes for new tailnets

Thu, 11 Jul 2024 00:00:00 GMT

New: The process for creating a new tailnet now asks you if the tailnet will be primarily used At work or At home. This determines whether to enroll the tailnet into a 14-day trial or the Personal plan. For more details, see the Tailscale quickstart topic.
Changed: Newly created tailnets using custom domains are no longer automatically enrolled in a trial. Instead, the At work or At home selection determines trial enrollment.

New API endpoints, OpenAPI spec, and interactive API docs

Wed, 10 Jul 2024 00:00:00 GMT

New: Access an OpenAPI spec for the Tailscale API. The spec is used to generate our new interactive documentation. Note that the spec definition may change without notice, so should not be relied upon for stability.
New: Access interactive documentation for the Tailscale API.

New API endpoints

We have added the following endpoints to Tailscale's public API:

Logging endpoints

New: Get log streaming status.
New: Get log streaming configuration.
New: Set log streaming configuration.
New: Disable log streaming.
Changed: Created a new endpoint for listing configuration audit logs. An earlier version of this endpoint is still supported for backwards compatibility.
Changed: Created a new endpoint for listing network flow logs. An earlier version of this endpoint is still supported for backwards compatibility.

Webhook management endpoints

Device posture endpoints

User management endpoints

New: List all users in the tailnet.
New: Get details about a specific user.
New: Update the role for a specific user.
New: Approve a pending user's access to the tailnet. This is only applicable to tailnets that have enabled user approval.
New: Suspend a user. Available for the Personal and Enterprise plans.
New: Restore a suspended user. Available for the Personal and Enterprise plans.
New: Delete a user. Available for the Personal and Enterprise plans.

User invite endpoints

Device invite endpoints

Contact preferences endpoints

New: List the tailnet's current contact preferences.
New: Update a tailnet contact.
New: Resend the verification email for a tailnet contact.

Automatically cleanup invites

Wed, 10 Jul 2024 00:00:00 GMT

New: Invite team member invites are now automatically deleted 90 days after the last welcome email was sent.

IP sets GA

Mon, 08 Jul 2024 00:00:00 GMT

Changed: IP sets GA (generally available)
- Use IP sets to target and manage cross-sections of your tailnet independently of other groupings like subnets, tags, and groups.

Via in grants

Mon, 08 Jul 2024 00:00:00 GMT

New: Use Via to add routing awareness to grants (beta).
- Define the exit nodes, subnet routers, or app connectors a source can access when they use a specific destination.

Tailscale v1.68.2

Tue, 02 Jul 2024 00:00:00 GMT

All Platforms

Fixed: Tailnet Lock validation of rotation signatures now permits multiple nodes signed by the same pre-signed reusable auth key.

macOS

Changed: Wake from sleep reliability is improved for re-connections and transitions between networks.

iOS

Changed: Wake from sleep reliability is improved for re-connections and transitions between networks.

Sync Google Workspace groups to use in your Tailscale ACLs

Tue, 25 Jun 2024 00:00:00 GMT

New: User & group provisioning for Google Workspace (beta)

Indent shutting down July 15, 2024

Fri, 21 Jun 2024 00:00:00 GMT

New: Indent has announced they are shutting down 12:00 PM PST July 15, 2024. If you are using Indent with your Tailscale network, migrate to another on-demand access system or Tailscale's just-in-time accessbot (alpha), or otherwise turn off your Indent integration by that time.

Tailscale Docker image v1.68.1

Thu, 20 Jun 2024 00:00:00 GMT

A new release of the Tailscale Docker image is available. You can download it from Docker Hub or from our GitHub packages repo.

New: UDP GRO forwarding can be turned on for containers configured as Tailscale subnet routers or exit nodes, using the new environment variable TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS. To learn more, see Performance best practices.
New: Containers that run on Kubernetes and store the tailscaled state in a Kubernetes Secret can now be enforced to read the Kubernetes API server address and port from the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT_HTTPS. By default, the values are read from the Kubernetes Service in the default namespace. To enforce the environment variables, set TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV to true.

Tailscale Kubernetes operator v1.68.1

Thu, 20 Jun 2024 00:00:00 GMT

A new release of the Tailscale Kubernetes operator is available. For guidance on installing and updating, see our installation instructions.

New: Tailscale Kubernetes operator proxies can now be configured to accept routes advertised by tailnet peers using the new proxyClass.spec.tailscale.acceptRoutes field. To learn more, see our ProxyClass documentation.
New: Images and image pull policies can be configured for individual Tailscale Kubernetes operator proxies using ProxyClass.
New: Connector Custom Resources status now includes the proxy's tailnet IP addresses and MagicDNS name.
Fixed: Helm values file now allows configuring image repositories using a repository key, which is a standard and expected by some tools.

Tailscale tsrecorder v1.68.1

Thu, 20 Jun 2024 00:00:00 GMT

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

New: --state flag or the TS_STATE environment variable can be used to specify a Kubernetes Secret as tailscaled state store when deploying the tsrecorder container.
New: --dst flag for destination can be set as the environment variable TSRECORDER_DST when deploying the tsrecorder container.
New: --bucket flag for the S3 bucket name can be set as the environment variable TSRECORDER_BUCKET when deploying the tsrecorder container.
New: --hostname flag for the hostname can be set as the environment variable TSRECORDER_HOSTNAME when deploying the tsrecorder container.
New: --ui flag for the user interface can be set as the environment variable TSRECORDER_UI when deploying the tsrecorder container.
New: AWS ambient credentials can be used to access the S3 backend.

Tailscale v1.68.1

Fri, 14 Jun 2024 00:00:00 GMT

All Platforms

Fixed: 4via6 subnet router advertisement works as expected.

Linux

Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected.

Android

Fixed: Android TV navigation is improved.

Tailscale v1.68.0

Wed, 12 Jun 2024 00:00:00 GMT

All Platforms

New: Auto-updates are available for containers. The tailnet-wide default is ignored in containers.
New: When enabled, auto-updates get applied even if the node is down or disconnected from the coordination server.
Changed: tailscale lock status now prints the node's signature.
Changed: Go is updated to version 1.22.4.

Windows

Changed: .exe installer no longer downloads MSI packages for Windows 7 and Windows 8, automatically. See the v1.42.0 changelog for our initial end of life announcement.

macOS

New: Standalone variant of the client can now install a launcher for the Tailscale CLI in /usr/local/bin by going to Settings, CLI integration, then Show me how.
New: Standalone variant of the client now supports notifications when a file is received using Taildrop.
New: Pop-up notification displays when a network might be vulnerable to a potential TunnelVision attack. For more information, see TunnelVision vulnerability and Tailscale.
Changed: Client starts up more reliably if another VPN app is running when Tailscale is enabled.
Changed: .pkg installer terminates pre-existing copies of Tailscale and the VPN extension before proceeding with installation if Tailscale was already installed.
Fixed: TunnelBear installation is properly detected, and warns the user about incompatibility.
Fixed: Using Exit Node label no longer appears incorrectly in the app menu before completing onboarding, upon the first time app launch.
Fixed: Fixed a bug with split DNS domains being used as search domains after a network change.

iOS

Changed: Battery life is optimized by offloading DNS resolution to iOS in more cases.
Changed: Client now starts more reliably if another VPN app is running when Tailscale is enabled.
Fixed: Bug report view no longer copies the bug report ID to the clipboard automatically.
Fixed: Reauthenticate button for in-app key expiry notifications works as expected.
Fixed: Dark mode contains minor changes to UI colors.
Fixed: Fixed a bug with split DNS domains being used as search domains after a network change.

tvOS

Changed: Client now starts more reliably if another VPN app is running when Tailscale is enabled.
Fixed: Reauthenticate button for in-app key expiry notifications works as expected.

Android

Changed: On-off toggle state better matches the actual client state.
Changed: Status notifications when Tailscale is disconnected are now background notifications, and tapping on notifications launches the Tailscale app.
Changed: Client starts automatically after the first login.
Changed: System policy (MDM) support is added for mandatory exit nodes.
Fixed: Organization name is now rendered properly when set in the ManagedByOrganizationName system policy.
Fixed: Crashing no longer occurs when launching Tailscale and another VPN application was already running.
Fixed: Running an exit node no longer lets you use another device as an exit node and vice versa.
Fixed: Home screen shows the selected exit node country and city when using Mullvad exit nodes.

Note: The Tailscale client releases for containers such as the Kubernetes operator, Docker image, and tsrecorder are typically released a few days after the initial client release. A separate changelog will be published when client updates for containers are available.

Auto exit nodes

Thu, 30 May 2024 00:00:00 GMT

New: You can now automatically select a recommended exit node based on client information (such as location).

Exit node destination logging

Fri, 24 May 2024 00:00:00 GMT

New: Exit node destination logging can now be configured from the Network flow logs tab in the Logs page of the admin console.

Tailscale v1.66.4

Mon, 20 May 2024 00:00:00 GMT

All platforms

Fixed: Restored UDP connectivity through Mullvad exit nodes.

Linux

Changed: Stateful filtering is now off by default. Stateful filtering was introduced in 1.66.0 as a mitigation for a vulnerability described in TS-2024-005, and inadvertently broke DNS resolution from containers running on the host. Most vulnerable setups are protected by other mitigations already, except when autogroup:danger-all is used in ACLs.

Tailscale v1.66.3

Wed, 15 May 2024 00:00:00 GMT

Note: Tailscale v1.66.2 was an internal-only release.

All platforms

Fixed: Login URLs did not always appear in the console when running tailscale up.

Android

Changed: Reintroduced the Quick Settings title that v1.66.0 temporarily removed.
Changed: Improved the VPN service connection logic, especially when rebooting the device with Always-On VPN enabled.
Changed: The persistent VPN status notification now informs the user with a muted icon when the VPN is disconnected. VPN status notifications can be disabled in the system notification settings.
Fixed: The "Enable" button in the exit node selector banner now renders with the correct background color.

Kubernetes operator

Breaking change: Starting with v1.66, the Kubernetes operator must always run the same or later version as the proxies it manages.
New: Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names.
New: Expose tailnet services that use Tailscale HTTPS to cluster workloads. Refer to #11019.
New: Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names. Refer to #11019.
New: Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD. Refer to ProxyClass API.
New: Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD. Note that the tailscaled metrics are unstable and will likely change in the future. Refer to ProxyClass API.
New: Configure labels for the Kubernetes operator Pods with Helm chart values. Refer to Helm chart values.
New: Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass. Refer to ProxyClass API.
Fixed: Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #11867.

Containers

Fixed: Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is pre-created for the tailscaled state. Refer to #11326.
Fixed: Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right permissions to perform actions against the tailscaled state Secret. Refer to #11326.

Dark mode in the admin console

Wed, 15 May 2024 00:00:00 GMT

New: Use the Light, Dark, or Use system setting theme in the admin console by clicking the avatar menu on the top-right and selecting Appearance. The default theme is Use system setting.

Support for Amazon Fire devices

Fri, 10 May 2024 00:00:00 GMT

New: The Tailscale app for Android is now available in the Amazon Appstore for Amazon Fire TVs and tablets.

Tailscale v1.66.1

Thu, 09 May 2024 00:00:00 GMT

This release is exclusively for Linux platforms and the standalone variant of the macOS client. It is not available for other platforms.

Linux

New: tailscale set command flags --netfilter-mode, --snat-subnet-routes, and --stateful-filtering are added.
Fixed: Issue with nftables rules for stateful filtering, introduced in v1.66.0.

macOS

Fixed: A version mismatch warning no longer displays when upgrading, if no mismatch is detected.

ACL syntax updates

Wed, 08 May 2024 00:00:00 GMT

Changed: As part of a security fix to address an issue related to exit nodes and subnet routing (TS-2024-005), changes are made to ACLs.
- The meaning of * when used in the src field in ACLs has been changed. Previously, * expanded to include any IPv4 and IPv6 address. With this change, * expands to all Tailscale IP addresses and all IP addresses from approved subnet routes.
- The new autogroup:danger-all ACL type has been added, which matches the previous definition of * when used in the src field. If you are using default ACLs or have specified * in src, you don't need to make any ACL changes to get the new secure behavior.
- We recommend updating all Tailscale clients to v1.66 to benefit from the additional security improvements.

Tailscale v1.66.0

Wed, 08 May 2024 00:00:00 GMT

We recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements.

All platforms

New: Implemented client-side quarantining for shared-in exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.

Linux

New: Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for subnet routers and exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.

Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false command.

New: Use tab completion to type the first few letters of a Tailscale CLI command, flag, or arguments, followed by the tab key to complete the item being typed. Set up tab completion by using the tailscale completion command.
New: Use the tailscale exit-node suggest command to automatically pick an available exit node that is likely to perform best.
Changed: Site-to-site networking now also requires --stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false.

macOS

New: View a suggested exit node in the Exit Node picker when available.
New: Generate a macOS Configuration Report .txt file from the Bug Report view to help the Tailscale support team diagnose issues.
Changed: Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.

iOS

New: See direct vs. relayed connections in the Ping view.
New: View a suggested exit node in the Exit Node picker when available.
New: Use auth keys to log in without using the browser.
New: Search tagged devices by tag in the Devices list.
New: Remove accounts in the Fast User Switching view by using a long press, without having to log out.
Changed: Improved UI experience to log into a custom coordination server like Headscale.
Changed: The Fast User Switching view can now be used when Tailscale is disconnected.
Changed: Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
Changed: Reduced app launch time.

tvOS

New: Manage DNS configuration in the DNS Settings view.
New: Generate a bug report identifier by navigating to About Tailscale > Report an issue.
Changed: Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.

Android

We've rebuilt the Android app from the ground up, adopting a similar design that we've previously rolled out on iOS and using the latest Android best practices.

New: Use new status indicators to see at-a-glance insights into node connectivity. Tap on a node to see detailed information.
New: See detailed information about resolvers, domains, and routing configurations in a dedicated DNS Settings view.
New: See the status of Tailnet Lock and node keys.
New: Use Fast user switching to switch between two or more logged-in accounts on the same device, without requiring you to re-authenticate.
New: Use auth keys to log in without using the browser.
New: Manage Android devices in your tailnet using Mobile Device Management (MDM) solutions such as Google Workspace, Microsoft Intune, or TinyMDM, among other tools.
New: Accessibility support.
New: Use dark mode as an alternative to light mode.
Changed: The Quick Settings tile has been temporarily disabled, pending resolution of an issue.
Changed: More intuitive behavior switching between exit nodes.
Fixed: Issue with LAN access during exit node use.

Device posture management GA

Wed, 01 May 2024 00:00:00 GMT

Changed: Device posture management GA (generally available)
- Use Device posture management to collect device properties and set device connectivity rules within your Tailscale network. Leverage Tailscale's integration with CrowdStrike to use Falcon Zero Trust Assessment (ZTA) scores to enable granular access control based on device health and security.

Manage split DNS in API and Terraform

Tue, 30 Apr 2024 00:00:00 GMT

New: The API can now read, update, and set split DNS.
New: The Tailscale Terraform provider can now manage split DNS.

Log streaming with Axiom

Tue, 23 Apr 2024 00:00:00 GMT

New: Log streaming integration with Axiom GA (generally available).
- Use Axiom for log streaming.

Windows OS versions in admin console

Mon, 22 Apr 2024 00:00:00 GMT

Changed: Windows machines in the admin console are now displayed using their marketing version number instead of their internal version number.

All identity providers available to everyone

Thu, 18 Apr 2024 00:00:00 GMT

Changed: Allowable identity providers are no longer limited by pricing plan. Any supported identity provider is available to all plans.

Tailscale v1.64.2

Wed, 17 Apr 2024 00:00:00 GMT

Windows

Changed: Installers are now built using WiX toolchain version 3.14.1.

Synology

Fixed: DiskStation Manager UI no longer freezes for a few minutes at startup when attempting to clean unused routes. This update is applicable to the version provided on pkgs.tailscale.com.

Changelog update

Mon, 15 Apr 2024 00:00:00 GMT

Changed: The Tailscale changelog has migrated to a new server. To prevent disruptions to RSS readers that subscribe to our changelog, we have limited the RSS feed to entries published on or after 2024-04-15. Existing RSS subscriptions should not lose access to older entries that have already been downloaded. The full changelog history is always available on our website

Share devices by email from the admin console

Mon, 15 Apr 2024 00:00:00 GMT

New: Share devices by sending emails directly from the admin console. The email will contain the invitation and instructions on how to accept the device share.