Tailscale Versions Save

This release is exclusively for Linux platforms and the standalone variant of the macOS client. It is not available for other platforms.

Linux

• tailscale set command flags --netfilter-mode, --snat-subnet-routes, and --stateful-filtering are added.
• Resolved issues with nftables rules for stateful filtering, introduced in v1.66.0.

macOS

• A version mismatch warning no longer displays when upgrading, if no mismatch is detected.

We recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements.

All platforms

• Implemented client-side quarantining for shared-in exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.

Linux

• Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for subnet routers and exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.
  • Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false command.
• Use tab completion to type the first few letters of a Tailscale CLI command, flag, or arguments, followed by the tab key to complete the item being typed. Set up tab completion by using the tailscale completion command.
• Use the tailscale exit-node suggest command to automatically pick an available exit node that is likely to perform best.
• Site-to-site networking now also requires --stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false.

macOS

• View a suggested exit node in the Exit Node picker when available.
• Generate a macOS Configuration Report .txt file from the Bug Report view to help the Tailscale support team diagnose issues.
• Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.

iOS

• See direct vs. relayed connections in the Ping view.
• View a suggested exit node in the Exit Node picker when available.
• Use auth keys to log in without using the browser.
• Search tagged devices by tag in the Devices list.
• Remove accounts in the Fast User Switching view by using a long press, without having to log out.
• Improved UI experience to log into a custom coordination server like Headscale.
• The Fast User Switching view can now be used when Tailscale is disconnected.
• Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
• Reduced app launch time.

tvOS

• Manage DNS configuration in the DNS Settings view.
• Generate a bug report identifier by navigating to About Tailscale > Report an issue.
• Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.

Android

• We've rebuilt the Android app from the ground up, adopting a similar design that we've previously rolled out on iOS and using the latest Android best practices.
• Use new status indicators to see at-a-glance insights into node connectivity. Tap on a node to see detailed information.
• See detailed information about resolvers, domains, and routing configurations in a dedicated DNS Settings view.
• See the status of Tailnet lock and node keys.
• Use Fast user switching to switch between two or more logged-in accounts on the same device, without requiring you to re-authenticate.
• Use auth keys to log in without using the browser.
• Manage Android devices in your tailnet using Mobile Device Management (MDM) solutions such as Google Workspace, Microsoft Intune, or TinyMDM, among other tools.
• Accessibility support.
• Use dark mode as an alternative to light mode.
• The Quick Settings tile has been temporarily disabled, pending resolution of an issue.
• More intuitive behavior switching between exit nodes.
• Resolved an issue with LAN access during exit node use.

Windows

• Changed: Installers are now built using WiX toolchain version 3.14.1.

Synology

• Fixed: DiskStation Manager UI no longer freezes for a few minutes at startup when attempting to clean unused routes. This update is applicable to the version provided on pkgs.tailscale.com[^1].

[^1]: We initially noted this as being released in 1.64.1, but that package was not uploaded incorrectly, so 1.64.2 has the actual fix.

Synology

• Fixed: No longer freezes for a few minutes at startup when attempting to clean unused routes

All platforms

• Changed: tailscale serve headers are now RFC 2047 Q-encoded

macOS

• New: Access a new Internet Access Policy for Little Snitch users
• New: Receive alerts when an error occurs while changing client preferences
• New: Use Tailscale for macOS as a Tailscale SSH client (Standalone variant only)
• New: tailscale ssh and tailscale nc are now supported in the Standalone variant of the client.
• Changed: The .pkg installer no longer requires a system restart after installing the client (Standalone variant only)
• Fixed: Reduced number of alerts if the network extension terminates unexpectedly
• Fixed: Unexpected terminations for some macOS 10.15 Catalina users

iOS

• Fixed: Improved reliability of the ping chart presentation

Synology

• New: Update certificates using the configure synology-cert CLI command
• Fixed: IPv6 addresses are available again

Kubernetes operator

• New: tailscale configure kubeconfig now respects KUBECONFIG environment variable.
• Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig.
• Fixed: MSS clamping for Kubernetes operator proxies using nftables.

Containers

• Fixed: Containers on hosts with partial support for ip6tables no longer crash.

Linux

New: Send load balancing hint HTTP request header

Windows

Fixed: Do not allow msiexec to reboot the operating system

macOS

Issue that could cause the Tailscale system extension to not be installed upon app launch, when deploying Tailscale using MDM and using a configuration profile to pre-approve the VPN tunnel (applies to standalone variant only)

Synology

Fixed: IPv6 routing

Kubernetes operator

Fixed: Kubernetes operator proxies should not accept subnet routes

All platforms

• New: Web interface now uses ACL grants to manage access on tagged devices
• Changed: Tailscale SSH connections now disable unnecessary hostname canonicalization
• Changed: tailscale bugreport command for generating diagnostic logs now contain ethtool information
• Changed: Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers
• Changed: DNS over HTTP requests now contain a timeout
• Changed: TCP forwarding attempts in userspace mode now have a per-client limit
• Changed: Endpoints with link-local IPv6 addresses is preferred over private addresses
• Changed: WireGuard logs are less verbose
• Changed: Go is updated to version 1.22.1
• Fixed: DERP server region no longer changes if connectivity to the new DERP region is degraded

Linux

• Changed: Auto-update version detection on Alpine Linux is improved
• Changed: IPv6 support detection in a container environment is improved
• Fixed: DNS configuration on Amazon Linux 2023 no longer causes an infinite loop

Windows

• Changed: ManagedByOrganizationName, ManagedByCaption, and ManagedByURL system policy keys are now supported
• Fixed: Tailscale Tunnel WinTun adapter handling is improved
• Fixed: MSI upgrades no longer ignore policy properties set during initial install

macOS

• New: A .pkg installer package is now available for the standalone release of the Tailscale client
• Changed: Taildrop notifications now include actions to reveal the received file in the Finder, or delete it
• Changed: Tailnet lock settings UI displays more information about the status, including key and public key trust status
• Changed: The onboarding flow now guides the user in enabling the Tailscale system extension
• Changed: Launch Tailscale at login settings item can now be toggled when the Tailscale client is disconnected
• Changed: DNS behavior is improved when handling transitions between network interfaces

iOS

• Changed: Battery usage is improved
• Changed: Taildrop notifications now include actions to reveal the received file in the Files app, or delete it
• Changed: Tailnet lock settings UI displays more information about the status, including key and public key trust status
• Changed: Unnecessary log messages are removed when triggered by changes to device power state and routing
• Changed: DNS behavior is improved when handling interface transitions between Wi-Fi and Cellular

Android

• Changed: Settings persist from previous sign-ins
• Changed: Always-on VPN handling is improved
• Changed: Custom control server is applied on first start

Kubernetes operator

• Changed: Ingress resource handling is improved when deployed before its backing Service resource
• Fixed: Destination NAT (DNAT) rule management by egress proxies in nftables mode when IP address of tailscale.com/tailnet-fqdn changes

All Platforms

Fixed: Exposing port 8080 to other devices on your tailnet works as expected

All Platforms

• build Tailscale with Go 1.22
• authentication: present users with a valid login page when attempting to login even after leaving device unattended for several days
• networking: mute noisy peer mtu discovery errors
• networking: expose gVisor metrics in debug mode
• port mapper: support legacy "urn:dslforum-org" port mapping services
• port mapper: fix crash when no support mapping services found
• ssh: log warning when unable to find SSH host keys
• serve: improve error message when running as non-root
• cloud servers: Detect when Tailscale is running on Digital Ocean and automatically use Digital Ocean's DNS resolvers (ask Andrew)
• app connectors: enable app connectors to install routes for domains that resolve to CNAME records
• app connectors: support pre-configured routes from control server
• web client: add new read-only mode
• tailscale status command: fix output formatting Tailnet includes location-based exit nodes

Windows

• Fixed: tailscaled could be slow or cause increased CPU usage with large routing tables

Synology

• fix stalling SMB transfers of large files

macOS

• Added: New UI to add/remove/switch between user accounts, including using custom control servers
• Added: New UI to change client preferences
• Added: New UI to manage updates for the Standalone variant of the client, including switching in-app between stable and unstable builds.
• Added: VPN On-Demand is now supported on macOS, to automatically connect/disconnect Tailscale when specific conditions are triggered
• Added: ‘Reset VPN Configuration’ menu item in the Debug Menu is now available to reset the system VPN configuration if needed
• Improved: An alert window is presented when the Tailscale network extension fails to start, providing suggested troubleshooting steps
• Improved: Tailscale appears in the macOS Dock when an app window is presented
• Improved: The devices list now shows all devices known to the control server, not only the ones seen in the last 4 days.
• Improved: The onboarding flow automatically advances once the user is connected
• Fixed: The authentication flow is now more reliable when Tailscale has been running for an extended period of time, and the session has expired server-side
• Fixed: Resolved a potential crash and excessive logging upon client launch
• Fixed: “Start on Login” is set correctly on macOS Ventura and earlier versions

iOS / tvOS

• Fixed: The authentication flow is now more reliable when Tailscale has been running for an extended period of time, and the session has expired server-side
• Fixed: Resolved a potential crash and excessive logging upon client launch
• Fixed: Stale devices are no longer presented in the devices list

Android

• Improved: Sort Mullvad exit nodes to make it easier to find best node for each location
• Fixed: Quick settings tile now works
• Fixed: Mullvad tunnels are no longer shown as regular nodes in UI

Kubernetes operator

• New: a new ProxyClass custom resource that allows to provide custom configuration for cluster resources that the operator creates
• New: ACL tags for the operator can now be configured via Helm chart values
• Fixed: routing to Ingress backends that require an exact path without a slash (/) suffix

All platforms

• Fixed: [App connectors][app-connectors] have improved scheduling and merging of route changes under some conditions
• Fixed: Crash when performing UPnP portmapping on older routers with no supported portmapping services

macOS

• Fixed: Opening the About window no longer displays a user interface when there is no newer version