Update dependency tailscale/tailscale to v1.58.0

[renovate]

This PR contains the following updates:

Package	Update	Change
tailscale/tailscale	minor	1a08ea5990c30caef5ad2c207c7e9ff2a94e8859 -> v1.58.0

---

Release Notes

tailscale/tailscale (tailscale/tailscale)

v1.58.0: 1.58.0

Compare Source

NOTE 21-Jan-2024: rollout of 1.58.0 has been paused while we investigate reports of a problem in handling portmap responses.

All Platforms

• portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes
• portmap: better handle multiple interfaces
• portmap: handle multiple UPnP discovery responses
• increase the number of 4via6 site IDs from 256 to 65,536
• taildrop: allow category Z unicode characters
• increased binary size with 1.56 is resolved in 1.58
• Reduce home DERP flapping when there's still an active connection
• device web ui: fixed issue when accessing shared devices
• device web ui: fixed login issue when accessed over https

Windows

• find the full path to netsh.exe
• add ADMX policy descriptions
• remove vestigial wintun support which broke Chocolatey install at some sites
• fix goroutine leak in winMon if the monitor is never started
• fix "This package requires Windows 10 or newer" with Uninstall or Repair from the .msi file
• support for tailscale set --webclient

Linux

• add shell shebang in postinstall script, fixes some Debian installs

macOS

• a new DNS Settings view shows the DNS configuration used when Tailscale is running
• onboarding flow now includes a step to ask the user to approve notifications (for key expiry notifications)
• better onboarding flow for the Standalone variant of the client, asking the user to approve the system extension if necessary
• Tailscale app can now quit without terminating the VPN tunnel by holding down the Option button and selecting “Quit (Leave VPN Active)”
• Toggle Tailscale shortcut action can be used to connect or disconnect the VPN tunnel depending on its current state
• Better compatibility with versions of macOS prior to Sonoma
• VPN tunnel now terminates upon closing the app
• Opening the About window now triggers a check for app updates
• downloadable variant of the client now checks for app updates every 72 hours
• support for tailscale set --webclient from macsys build
• KeyExpirationNotice system policy now supported on macOS, to customize the time interval before a key expiration notice is displayed

iOS

• Toggle Tailscale shortcut action can be used to connect or disconnect the VPN tunnel depending on its current state
• Connectivity is no longer lost when transitioning from Wi-Fi to Cellular while an exit node is in use
• The "Sign" button in the Tailnet lock device sign view is now rendered correctly
• KeyExpirationNotice system policy now supported on iOS, to customize the time interval before a key expiration notice is displayed

tvOS

• Improvements to persistence of the client when running in the background

Android

• better detect when active network changes

Kubernetes Operator

• introduce a new Connector Custom Resource that can be used to deploy subnet routers and exit nodes on Kubernetes
• sync operator managed labels to StatefulSet Pods
• add a Tailscale IngressClass resource
• fix extra long Service name truncation
• warn if the unsupported Ingress Exact path type is used

Containers

• add experimental support for configuring tailscale daemon using a mounted config file
• fix a bug where tailscale images contained different layer types and could not be parsed by podman/buildah

v1.56.1: 1.56.1

Compare Source

Linux

• Fixed: Web interface redirects to the correct self IP known by source peer
• Fixed: Usage of slices.Compact from app connector domains list

macOS

• Fixed: Using a custom login server

iOS

• Fixed: Using a custom login server

tvOS

• Fixed: Using a custom login server

v1.56.0: 1.56.0

Compare Source

All Platforms

• improve responsiveness under load, especially with bidirectional traffic
• improve UPnP portmapping
• add tailscale whois subcommand to observe metadata associated with a Tailscale IP
• include tailnet name and profile ID in tailscale switch --list to disambiguate profiles with common login names
• make System policies beta

Linux

• improve tailscale web interface for configuring some device settings such as exit nodes, subnet routers, and Tailscale SSH
• improve containerboot to symlink its socket file if possible, making the tailscale CLI work without --socket=/tmp/tailscale.sock
• support tailscale update for Unraid

Windows

• improve throughput for userspace ("netstack") mode in the presence of packet loss
• disable dynamic DNS updates for the tailscale interface via registry setting
• begin displaying tailnet name in profile switcher
• improve robustness when restarting GUI processes during Windows client upgrades

macOS

• deliver notification when a file is received using Taildrop (Mac App Store variant only)
• add shortcut action to send files using Taildrop
• add in-app warnings and push notifications when internet connectivity is blocked due to the current exit node being offline or having an expired key
• improve experience stopping Tailscale from the toggle in the menubar; now terminates the VPN tunnel entirely
• inform user when running a TestFlight build from 'About Tailscale' window
• fix /etc/resolv file formatting with Tailscaled-on-macOS
• begin displaying tailnet name in profile switcher

iOS

• add view to show DNS configuration
• add "Allow Local Network Access" to exit node picker UI
• add shortcut action to send files using Taildrop
• include received file names in Taildrop notifications
• add in-app warnings and push notifications when internet connectivity is blocked due to the current exit node being offline or having an expired key
• inform user when running a TestFlight build from 'About Tailscale' window
• reduce app size by about 2 MB with better assets compression
• begin displaying tailnet name in profile switcher

tvOS

• add tvOS UI to be a subnet router and configure routes
• inform user when running a TestFlight build from 'About Tailscale' window

GoKrazy

• use TUN mode by default

Kubernetes

• add support in Kubernetes operator cluster egress for referring to a tailnet service by its MagicDNS name

v1.54.1: 1.54.1

Compare Source

macOS

• Fixed: Changing a pre-existing system policy value to nil no longer causes stability issues

iOS

• Fixed: Widget tracks the connection state more closely

v1.54.0: 1.54.0

Compare Source

All Platforms

• update to Go 1.21.4

Linux

• improve throughput substantially for UDP packets over TUN device with recent Linux kernels

Windows

• open menu with a regular click in addition to a right-click

macOS

• don't run taildrop cleanup loop until the first file transfer, avoid spurious security dialog
• implement MDM settings for the macSys app downloadable from pkgs.tailscale.com
• support tailscale update --yes for macSys app

iOS

• show a helpful banner if there are no other devices on the tailnet
• add "Allow Local Network Access" setting when using an exit node
• show info bubble when key expires in < 8 hrs or has expired
• widgets reflect the state of the VPN tunnel more accurately

QNAP

• add tailscale update support

v1.52.1: 1.52.1

Compare Source

Windows

• Fixed: Resolve an incompatibility with other software that uses wintun

NAS platforms

• Changed: Clean up downloaded upgrades after applying them

v1.52.0: 1.52.0

Compare Source

All platforms

• tailscale cert command renews in the background. The current certificate only displays if it has expired.
• tailscale status command displays a message about client updates when newer versions are available
• tailscale up command displays a message about client updates when newer versions are available
• Taildrop now resumes file transfers after partial transfers are interrupted
• Taildrop prevents file duplication
• Taildrop detects conflicting file transfers and only proceeds with one transfer
• Wake on LAN (WoL) is now supported for peer node wake-ups
• TCP DNS queries are speculatively started if UDP hasn’t responded quickly enough
• Truncated UDP DNS results are properly retried using TCP
• Go is updated to version 1.21.3

Linux

• tailscale set command flag --auto-update is added to opt in to automatic client updates (beta)
• tailscale serve and tailscale funnel commands are updated for improved usability
• tailscale update command for manual updates is now in beta
• Taildrop file transfer displays a progress meter
• nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used
• DNS detection of NetworkManager with configured but absent systemd-resolved, such as EndeavourOS
• DNS detection for Debian resolvconf version 1.90 or later

Windows

• tailscale set command flag --auto-update is added to opt in to automatic client updates (beta)
• Preferences section contains auto-update setting
• Update notice displays, when a new version is available
• System policies allow system administrators to set a forced/suggested tailnet name, hide settings menu items, and more
• tailscale serve and tailscale funnel commands are updated for improved usability
• tailscale update command for manual updates is now in beta
• iphlpsvc, netprofm, and WinHttpAutoProxySvc service dependencies are checked during installation

macOS

• tailscale set command flag --auto-update is added to opt in to automatic client updates (beta)
• App menu displays a notification item when a newer version is available
• System policies allow system administrators to set a forced/suggested tailnet name, prevent the VPN from stopping, hide categories of network devices and setting menu items, and more
• Settings section has an option added for turning on auto-updates
• Reauthenticate menu item shows time until expiry more prominently, presenting alerts when necessary
• tailscale serve and tailscale funnel commands are updated for improved usability
• tailscale update command for manual updates is now in beta
• About window more clearly distinguishes between the Standalone and App Store variants of the client
• Sparkle is updated to version 2.5.1

iOS

• Settings page displays a notification banner when a newer version is available on the App Store
• Home and lock screen widgets are supported
• System policies allow system administrators to set a forced/suggested tailnet name, prevent the VPN from stopping, hide the VPN On-Demand settings, categories of network devices and settings menu items, and more

tvOS

• DNS support when operating as an exit node

v1.50.1

Compare Source

All Platforms

• Fix Issue 9558: tailscale serve config lost in container
• Fix Issue 9539: tailnet lock failed to sign node in container
• Fix Issue 9566: Funnel support for tsnet apps
• Fix potential crash with UPnP

v1.50.0: 1.50.0

Compare Source

All platforms

• update to Go 1.21.1.
• tailscale ping now sends an ICMP Ping code of 0.
• UPnP falls back to a permanent lease if a limited lease fails, some servers only support permanent.
• Adds support for Wikimedia DNS using DNS-over-HTTPS.
• Unhide tailscale update CLI command on most platforms.
• tailscale web updated to use React and be more awesome.
• Add --log-http option to tailscale debug portmap.
• tailscale netcheck now works even if the OS platform lacks CA certificates.

Linux

• debian package lists iptables+iproute2 packages as recommended, not required.
• nftables support now interoperates with ufw

Windows

• The Windows executable installer now detects when it is running on Windows 7 or Windows 8.x and will automatically download the appropriate v1.44.2 MSI package, which is the final Tailscale release supporting those operating systems.
• The Windows executable installer no longer embeds MSI packages in its binary. Instead, it automatically downloads the correct package. Users desiring the previous behavior may download the "full" executable installer at pkgs.tailscale.com.
• Added additional diagnostics to logs generated via tailscale bugreport

iOS/tvOS

• First official release with support for tvOS.
• Improved Tailnet Lock support.
• Add Fast User Switching support.
• Improved UI to pick Mullvad VPN exit nodes, including an option to automatically pick the 'best available' node.
• Added the ability to log in to multiple user accounts with Fast User Switching.
• Users using iOS 17 can now customize their device name from the app settings.
• App Shortcuts in Spotlight and Siri are now supported. Try saying: "Hey Siri, connect to Tailscale", or "Hey Siri, is Tailscale connected?". - Find more in the Shortcuts app.
• Added new shortcuts to find and ping devices.
• VPN On-Demand rules are no longer reset when disabling the feature.
• Improved the accessibility of UI items when using VoiceOver.
• Taildrop no longer replaces spaces with "%20" in file names when sending files to Windows devices.

macOS

• Improved Tailnet Lock support.
• Improved UI to pick Mullvad VPN exit nodes, including an option to automatically pick the 'best available' node.
• Added new shortcuts to find and ping devices.
• Reliability improvements when signing devices with Tailnet lock
• Taildrop no longer replaces spaces with "%20" in file names when sending files to Windows devices.

v1.48.2: 1.48.2

Compare Source

All Platforms

• Fixed: Stability improvements for Mullvad Exit Nodes, particularly for users on IPv4-only networks

v1.48.1: 1.48.1

Compare Source

Linux

• Fix: resolve nftables interaction between tailscale and ufw which resulted in blocking subnet routed traffic

Synology

• Fix: determine correct CPU architecture on Synology platforms during tailscale update

v1.48.0: 1.48.0

Compare Source

1.48.0 introduced a regression in the interaction between Tailscale and Linux ufw. The Linux release has been withdrawn pending a fix.

All Platforms:

• Tailscale Lock Beta
• Add --upstream flag to tailscale version
• Add tailscale exit-node subcommand
• The tailscale funnel command provides an interactive web UI that prompts you to allow Tailscale to enable Tailscale Funnel on your behalf
• The tailscale serve command provides an interactive web UI that prompts you to allow Tailscale to enable HTTPS and Tailscale Funnel on your behalf

Linux:

• Support for nftables
• RPM packages are now fully signed
• Support for tailscale update on Alpine, Arch and Fedora distro families

Synology:

• Support for tailscale update

macOS:

• Support for tailscale update

iOS:

• Support for VPN On Demand
• VPN tunnel lifecycle improvements
• Improved exit node selection
• Minor UI tweaks

v1.46.1: 1.46.1

Compare Source

All platforms

• Fixed an issue with Tailnet lock signature verification

Linux

• Fixed a crash on arm64

Android

• Fixed an issue involving DNS and subnet routes

v1.46.0: 1.46.0

Compare Source

Android

• Fixed an issue that could cause the device name to always be 'localhost'

iOS

• UI redesign (new onboarding flow, exit node picker, devices list, device details, settings page)
• Added ability to ping devices
• Added support for Tailnet lock

macOS

• Added support for Tailnet lock

Windows

• Added support for Tailnet lock

v1.44.3: 1.44.3

Compare Source

Windows

• Fixed: Added a security fix to address privilege escalation with tailscale serve and tailscale funnel that allowed low-privilege users to serve files they did not have access to (TS-2024-001). This release is intended for Windows 7 and 8 users. Those with later versions of Windows should run the latest stable version of Tailscale, which is 1.56.1. This issue was resolved in Tailscale 1.52.push

v1.44.2: 1.44.2

Compare Source

All platforms

• fix handling of custom HTTP ports in tailscale serve.

Windows

• restore support for Windows 7 and 8.x. 1.44.2 will be the last release to support Windows 7, Windows 8, Windows Server 2008 and Windows Server 2012.

v1.44.0: 1.44.0

Compare Source

All Platforms

• Tailscale SSH supports remote port forwarding
• Tailscale Serve now supports HTTP
• improve stability of userspace subnet routers, including macOS, Windows, FreeBSD, and Linux when --tun-userspace-networking is used
• initial support for recursive DNS resolution to replace bootstrapDNS, currently operating in a parallel mode
• MagicSock will prefer private addresses when both private and public are available, to keep traffic in private VPCs where possible
• update to Go 1.20.5
• remove async support from portlist package, please update to use synchronous Poll() if this breaks your package
• WatchIPNBus requires only read-only permissions to read
• base the decision of whether to renew in tailscale cert on the lifetime of the certificate, not hard-coded. Better supports 14 day certificate lifetimes.

Linux

• better support SELinux systems using Tailscale SSH
• install iputils in Alpine-based Docker containers
• support usernames of up to 256 characters for Tailscale SSH
• build_dist.sh better supports operating systems and CPU architectures which Tailscale release builds do not include

macOS

• fix ICMP6 forwarding when running as a subnet router

FreeBSD / OpenBSD

• fix ICMP6 forwarding when running as a subnet router

Windows

• better support for DNS caching using PreferGo

WASI

• better support tsnet applications compiled to WebAssembly

v1.42.1

Compare Source

v1.42.0: 1.42.0

Compare Source

News

• This is the last release to support the following operating systems. Tailscale releases after 1.42 will no longer install on these operating systems.
  • Windows 7, Windows 8, Windows Server 2008 and Windows Server 2012
  • macOS 10.13 High Sierra, macOS 10.14 Mojave.

All platforms

• update internal DNS handling to better support mixtures of global and private DNS servers
• add a tailscale serve reset to clear current serve config

Linux

• fix SSH login on platforms which lack getent

Windows

• Note: this release switches to a new application signing cert, good through 2025.
• update notification icons

macOS

• update Sparkle to check more regularly
• fix Taildrop delivery of incomplete files

iOS

• better handle memory management to avoid hitting 50 MByte memory limit
• add Delete Account button to redirect to the admin panel

Unraid

• support Unraid as a NAS platform similar to how Synology and QNAP are handled

Kubernetes

• add support for priorityClassName

v1.40.1: 1.40.1

Compare Source

Linux

• support LDAP and other users with Tailscale SSH
• restore support for SSH recording to a local file
• start generating Debian & RPM packages for MIPS again

macOS

• fix a timeout failure in tailscale cert fetch

Windows

• Notification icons have been changed
• Fixes 32-bit Windows installer

Kubernetes

• print Tailscale version in the startup logs

v1.40.0: 1.40.0

Compare Source

News

• Early warning: as early as August 2023, Windows 7, 8, Server 2008 and Server 2012 will no longer be supported. Similarly, for macOS, macOS 10.13 High Sierra or 10.14 Mojave will no longer be supported and macOS 10.15 Catalina or later will be required.

All platforms

• tailscale up --force-reauth will now display a warning and 5 second countdown if you are connected over SSH over Tailscale, unless --accept-risk=lose-ssh is also given.
• Tailscale now dynamically increases the buffer size for DERP relay messages based on the amount of available RAM (#​7776).
• Improvements were made to how Tailscale advertises available endpoints to reduce the likelihood of a spurious loss of direct connections (#​7877).

Linux

• Substantially higher throughput: Surpassing 10Gb/s over Tailscale
• Improved CPU consumption on systems with a very large (1M+) routing table

Windows

• redo migration of pre-Fast-User-Switching state for better robustness

macOS

• change menu item to "Settings" instead of "Preferences" on macOS Ventura

Android

• Added intents com.tailscale.ipn.CONNECT_VPN and com.tailscale.ipn.DISCONNECT_VPN

gokrazy

• Tailscale SSH now works on gokrazy

QNAP

• fix UI failure after reboot

v1.38.4: 1.38.4

Compare Source

All Platforms

• Build Go 1.20.3 to address security fixes (CVE-2023-24537, CVE-2023-24538, and CVE-2023-24536). These address potential DoS attacks against DNS over HTTPS and Funnel that can occur over the public internet, and PeerAPI attacks launched from other nodes already on the tailnet.
• Added path support for proxy targets with tailscale serve
• Error displays when trying to use Funnel and tailscale up --shields-up

Windows

• When connected to a Windows 10 client using Windows RDP, the Tailscale taskbar right-click option for the remote client works as expected (#​7698)

v1.38.3: 1.38.3

Compare Source

All Platforms

• Funnel is now beta.
• Trim mount point prefix from serve HTTP proxy paths.
• Fix X-Forwarded-For IP address for Funnel.

Linux

• Fix cert storage to actually use Kubernetes secrets.

Windows

• We upgraded the Walk framework for the GUI client to improve menu responsiveness.

v1.38.2: 1.38.2

Compare Source

All Platforms

• rename tailnet lock tskey-wrap to tailnet lock sign

FreeBSD

• fixes a bug setting the effective group ID on some non-interactive Tailscale SSH sessions. This issue is specific to FreeBSD's implementation of setgroups and does not impact other platforms.

Linux

• Fix --tun=userspace-networking running in Azure App Services

macOS

• Have Sparkle automatically check updates for the standalone package. This does not impact the App Store package.

v1.38.1: 1.38.1

Compare Source

News

• Early warning: as early as August 2023, Windows 7, 8, Server 2008 and Server 2012 will no longer be supported. Similarly, for macOS, macOS 10.13 High Sierra or 10.14 Mojave will no longer be supported and macOS 10.15 Catalina or later will be required.

All platforms

• The tailscale debug portmap command replaces tailscaled debug -portmap; this is now available on platforms without a tailscaled binary (like the macOS App Store).
• Several improvements to UPnP portmapping have been made that should allow it to work with a broader set of home routers (#​7377).
• Add tailscale configure to help configure third party applications to use Tailscale features.
• Add tailscale debug derp to help diagnose DERP-related difficulty.
• Allow tailnet-lock to be used with preauth keys.
• The tailscale serve command has been overhauled, and we've moved Funnel to its own command, tailscale funnel (docs).
• Added tailscale debug capture to write pcaps for debugging.

Linux

• Allow certificates to be stored in Kubernetes secret storage.

Windows

• MSI installers start the GUI without user interaction, to allow remote upgrade.

macOS

• Add a notification upon node key expiration (only on macOS 10.14 and later).
• The Tailscale SSH server component is available for macOS open source tailscale + tailscaled CLI devices.

iOS

• Support alternate control servers by setting the URL in Settings > Tailscale.

Android

• Fix Chromecast support while Tailscale is active.

v1.38.0: 1.38.0

Compare Source

Not released

We tagged the tree for v1.38.0 but were not able to build a release. The tag point itself is fine, if you have pulled from this tag you should feel free to build and use the 1.38.0 binaries which result.

We applied a fix for our builder in tailscale/tailscale@6c0e6a5, which is the only change between v1.38.0 and v1.38.1. Tailscale's released binaries are v1.38.1.

v1.36.2

Compare Source

All Platforms

macOS

• Fix: don't use an exit node while being an exit node
• Fix: improve detection of default interface

iOS

• Fix: improve detection of default interface

Windows

• Fix: better clean out of registry entries during upgrade

v1.36.1

Compare Source

All Platforms

• Fix: potential infinite loop when node key expires

macOS

• Fix: handle starting the app before network interfaces are ready

iOS

• Fix: handle starting the app before network interfaces are ready
• Fix: Get Status intent will not connect the VPN

Windows

• Fix: potential crash in netstat handling
• Fix: Windows 7 checks for KB2533623

v1.36.0: 1.36.0

Compare Source

All platforms

• tailscale debug daemon-logs
• tailscale version now advertises when you're on the unstable (dev) track
• tailscale version --json for JSON output mode
• --json output for tailscale lock status and tailscale lock log commands.
• Handle cases where a node expires and we don't receive an update about it from the control server (#​6929 and #​6937).
• tailscale status --json now includes KeyExpiry time and Expired boolean.
• Support UPnP port mapping of gateway devices where they are deployed as a highly available pair (#​6946).
• Support arbitrary IP protocols like EOIP and GRE (#​6423).
• Fix exit node handling of a large number of SplitDNS domains (#​6875).
• Accept DNS-over-TCP responses up to 4KBytes.
• Unix platforms: when /etc/resolv.conf needs to be overwritten for lack of options, a comment in the file now links to https://tailscale.com/s/resolvconf-overwrite
• Tailscale SSH: ssh to tailscaled as a non-root user now works again, as long as you only ssh to the same user that tailscaled is running as

Linux

• Improved throughput performance on Linux (#​6663). More details in this blog post.
• Add build support for Loongnix CPU architecture.

Windows

• Add a more robust mechanism to remove WinTun.
• Update taskbar menu radio button implementation.
• Installer is now MSI based.

macOS

• Tailscale actions (connect, disconnect, switch profile, use exit node) are available in the Shortcuts app.
• Fixed Tailscale traffic looping (#​5156) upon certain sleep/resume/wifi change transitions.

iOS

• Tailscale actions (connect, disconnect, use exit node) are available in the Shortcuts app.
• Fixed Tailscale using cellular data even after Wi-Fi becomes available (#​6565).

Android

• New version of the Gio UI library with internationalization, accessibility fixes.
• Allow Sonos app to discover local devices while Tailscale is connected.

Synology

• Now shows whether outgoing connections are configured in the web UI.

Containers

• Can run in a Kubernetes environment without setting TS_KUBE_SECRET (#​6704).

OpenBSD

• Tailscale SSH now runs on OpenBSD.

v1.34.2: 1.34.2

Compare Source

Linux

• fix handling of a large number of SplitDNS domains while using an exit node

Windows

• fix support for custom server URLs using a registry key

macOS

• fix UI glitch with macOS 10.14 and 10.13

Synology

• fix crashes manifesting on certain ARM-based platforms and models with very old kernels

v1.34.1: 1.34.1

Compare Source

Windows

• fix an the most common cases of an issue with Tailscale SSH

macOS

• fix an issue which could fail to save the key for tailscale serve
• fix an issue which could crash when interfaces change

Linux

• fix unit tests on systems using busybox ip
• fix regression handling TS_STATE_DIR in containerboot

v1.34.0: 1.34.0

Compare Source

All platforms

• a new (third) 4via6 DNS form: 192-168-1-2-via-8 or 192-168-1-2-via-8.foo-bar.ts.net.
• display decoded punycode hostnames in status list
• add tailscale set CLI to modify one configuration setting without needing to repeat the rest
• warn in tailscale status health and tailscale up if there are nodes advertising routes but --accept-routes=false
• tailscale lock command to manage tailnet lock

Linux

• add Fast User Switching using tailscale login and tailscale switch
• warn in tailscale status health if something else overwrites /etc/resolv.conf

Windows

• Use named pipes to communicate between UI and Service
• move state storage responsibility from frontend to backend. The current state is migrated, this should not be a noticeable change.
• add Fast User Switching by selecting the desired tailnet from the Tailscale icon in the taskbar, or via login and switch subcommands from the CLI
• switch to wingoes for OLE support, use multithreaded apartment
• files received via Taildrop are written to the Downloads folder instead of the desktop

macOS

• add Fast User Switching by selecting the desired tailnet from the Tailscale icon in the menubar, or via login and switch subcommands from the CLI

iOS

• substantially reduced the size of the app, from 20 Megs to 11 Megs.

Android

• Allow Sonos app to discover speakers on the local LAN.

Synology

• Better detect DSM version, locate local socket correctly

Containers

• replace run.sh with cmd/containerboot

FreeBSD

• support Tailscale SSH (thanks to Pat Maddox)

v1.32.3: 1.32.3

Compare Source

• Fixes: Security vulnerability in the Windows client that allows a malicious website to reconfigure the Tailscale daemon tailscaled, which can then be used to remotely execute code (CVE-2022-41924, TS-2022-004)
• Fixes: Security vulnerability in the client that allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables (CVE-2022-41925, TS-2022-005)

Windows

• set Zone.Identifier alternate data stream for Taildrop files

macOS

• set com.apple.quarantine flag for Taildrop files

v1.32.2: 1.32.2

Compare Source

• fix a 4-in-6 DNS problem mainly impacting Android (fixed by Peter Cai)
• substantially improve userspace-networking handling of packet loss
• fix a crash impacting some macOS systems

v1.32.1: 1.32.1

Compare Source

Fix: avoid a condition which can result in high CPU consumption on macOS
Fix: correct IPv6 MTU setting on Windows
Fix: avoid crash in tailscale netcheck
Fix: fix taildrop failures when sending many files from macOS

v1.32.0: 1.32.0

Compare Source

All Platforms

• support NextDNS
• fix IP fragmentation handling as an exit node
• fix SSH inadvertently closing tmux/etc panes at disconnect
• add tailscaled --no-logs-no-support (or TS_NO_LOGS_NO_SUPPORT=true env variable)
• add more in-depth healthchecks in a bugreport
• always respond to 4via6 ICMP echo requests
• tailscale netcheck looks for a captive portal
• normalize more process names in Services report
• update to Go 1.19.2
• add tailscale bugreport --record to pause and write another bug report

Linux

• coexist with mwan3 package iptables rule fwmark masks, for OpenWRT
• add an eBPF helper to pass the first packet on a new flow up to tailscaled
• better detect being run in a container

Windows

• log Windows service diagnostics when the wintun device fails to install

macOS

• fix incorrect list of taildrop target devices

iOS

• fix incorrect list of taildrop target devices

Android

• show an error when we cannot accommodate multiple users

Synology

• fix configure-host version parsing
• add envknob support

v1.30.2: 1.30.2

Compare Source

• fix IPv6-mapped-IPv4 addresses in STUN responses
• better container detection

v1.30.1

Compare Source

Fixes

• fix exit-nodes in --tun=userspace-networking mode with no IPv6 connectivity to not break Chrome 104+
• fix SIGINT when running in a container without job control

v1.30.0

Compare Source

All Platforms

• delete node immediately if tailscaled exits and was using mem: state storage
• report whether a subnet router is running in userspace-networking or kernel mode.
• send Tailscale client version number in ACME requests (to LetsEncrypt, for example)
• add a timeout when writing to BIRD socket
• use DNS-over-HTTPS for Mullvad DNS servers
• add tailscale licenses with link to open source licenses
• clients can use Noise with any HTTPS port with capver 39 (mainly for Headscale)
• 100.100.100.100 will respond with SERVFAIL if there are no upstream resolvers
• tsnet ephemeral nodes will delete themselves on Close()
• report whether host kernel supports IPv6
• misc performance optimizations, smaller bug fixes

Linux

• gracefully handle restarts in systemd-resolved support

Windows

• notice when group policy entries change and move our NRPT rules between the local and group policy subkeys as needed
• avoid 2.3 second DNS lookup delay when Smart Name Resolution is enabled by adding MagicDNS names to hosts file
• disable NetBIOS nameservice on Tailscale intefaces
• update Proxy support
• add native ARM build for backend Tailscale service (only in NSIS installer in this release)

macOS

• report variant (App Store, macSys) in the About box

iOS

• fix potential crash in notification handling
• fix dismissing of error indication if a bugreport fails

Android

• Fix Google Stadia, Android Auto, GoPro, and Messages RCS with the VPN active.
• Allow coordination server URL to be set. Click the Authentication menu three times quickly to enable.

Synology

• fix /dev/net permissions in tailscale configure-host

OpenBSD

• support functioning as a subnet router or exit node using hybrid netstack mode

Other

• accommodate shared nodes in nginx-auth
• fix race in derper (Custom DERP servers) with manual certificates.

v1.28.0

Compare Source

All Platforms

• MagicDNS recursive resolution now returns SERVFAIL if all upstream resolvers fail
• fix tailscale ping -c N to properly exit after N ping requests even if there are timeouts
• portmapper: send discovery packet for IGD specifically, some routers don't respond to ssdp:all
• add ExitNodeStatus to tailscale status --json

Linux

• implement specific DNS support for AWS, Google Cloud, and Azure to add internal split DNS domain & fallback DNS

Windows

• set registry values to not send DNS changes concerning our interface to AD domain controllers
• update Windows split DNS settings to work alongside other NRPT entries set by group policy
• suppress nonfunctional link-local IPv6 addresses on Tailscale interface, Powershell ping (hostname) now works correctly
• set AllowSameVersionUpgrades attribute on MajorUpgrade tag in Windows MSI script

macOS

• Use one large 100.64.0.0/10 route entry if there are no other interfaces using CGNAT, to avoid Network Changed errors in browsers where possible

iOS

• the minimum iOS version is now iOS 15, which makes substantially more memory available (the App Store will offer Tailscale 1.26.2 for iOS 13 and 14 devices)
• add portmapper support for NAT-PMP, PCP, UPnP
• add MagicDNS support for TCP

Android

• Android can now be an exit node (previously available but hidden)

v1.26.2

Compare Source

All Platforms

• fix tailscaled being able to restart while mosh-server is running from an SSH session
• make tailscale up --operator="" clear a previously set operator

Linux

• fix Tailscale SSH support with Arch Linux

Windows

• make ssh command prefer Windows ssh.exe over PATH

macOS

• limit SSH login to 16 groups

iOS

• try harder to notify for SSH check mode

v1.26.1

Compare Source

Bugfixes.

v1.26.0

Compare Source

All Platforms

• Added tailscale ping --peerapi <peer> to check connectivity to a peer using the PeerAPI.
• tailscale.com/client/tailscale package refactored w/ LocalClient type
• allow LoginInteractive via LocalAPI
• MagicDNS supports DNS/TCP and handling IP fragmented UDP frames
• add an overall 10 second timeout for recursive MagicDNS queries
• add Wake-on-LAN function to PeerAPI (no UI for it yet)
• change MagicDNS "via route" DNS names from "via-SITEID.10.2.3.4" to "10.2.3.4.via-SITEID". The old format will continue to work for a release or two.
• configured MTU is now consistent between TUN device and userspace device.
• Added --timeout <duration> flag to tailscale up to enforce a maximum amount of time to wait for the Tailscale service to initialize

Windows

• fix MagicDNS lookup of own hostname
• fix handling of >50 Split DNS domains
• resolve one source of shutdown delay (may still be more)
• add TS_NOLAUNCH property to allow admins to deploy silent MSI installs without automatically starting the GUI: msiexec /quiet filename.msi TS_NOLAUNCH=1

macOS

• Tailscaled-on-macOS now supports MagicDNS (including Split DNS)
• Initial release of a standalone macOS client, which is independent of the App Store, in the stable track

iOS

• add bug report UI

Synology

• Allow the NAS disks to hibernate by moving telemetry buffering to tmpfs
• Fix HTTP proxy handling

v1.24.2

Compare Source

All platforms

• fix handling of HTTP proxies in certain circumstances
• fix another issue where the new control plane protocol could fail to make a connection to our servers (#​4557)

Synology

• additional fix in handling of HTTP proxies

v1.24.1

Compare Source

All Platforms

• fix two issues where the new control plane protocol could fail to make a connection to our servers (https://github.com/tailscale/tailscale/issues/4538, https://github.com/tailscale/tailscale/issues/4544)
• set TCP keep-alives in userspace-networking subnet router to avoid connection leaks (https://github.com/tailscale/tailscale/issues/4522)
• avoid using the LTE radio after transition to Wi-Fi

v1.24.0

Compare Source

All Platforms

• improve netstack performance via better GC tuning
• Initial support for site-relative IPv4 addressing using IPv6
• MagicDNS: PTR records for TS service IPs
• First for-keepsies deployment of ts2021 protocol
• build with Go 1.18
• tsnet now supports providing a custom ipn.StateStore.

Linux

• taildrop: add file get --loop
• taildrop: add file get --conflict=(skip|overwrite|rename)
• default to userspace-networking mode on gokrazy
• set tailscale0 link speed to UNKNOWN, not 1Gbps.
• Attempt to load the xt_mark kernel module when it is not present.

Windows

• improve HTTPS proxy handling
• fix naming in MSI installer

macOS

• fix CLI in macSys build
• make quit on termination more reliable, helps with restart after upgrade

iOS

• make quit on termination more reliable, helps with restart after upgrade

Android

• add Android TV support
• fix and reintroduce Talkback support

Synology

• improve HTTPS proxy handling

FreeBSD

• fix portmapping support

v1.22.2: 1.22.2

Compare Source

Linux

• fix a potential crash at startup when using BGP

Windows

• fix MSI not restarting GUI after MSI-to-MSI upgrade

v1.22.1: 1.22.1

Compare Source

Fixes:

• better operation with gokrazy
• Fix portmapping on FreeBSD
• In userspace-networking mode, always close SOCKS proxied connections
• Fix a Windows NSIS installer bug when upgrading
• Fix macOS GUI "Must restart" dialog in some cases

v1.22.0: 1.22.0

Compare Source

All Platforms

• New: DERP Return Path Optimization (DRPO), allows a pair of nodes in different DERP regions to connect more quickly by only requiring one side to connect to the other, cutting down some DERP setup latency
• New: tailscaled --state=mem: registers as an ephemeral node and does not store state to disk
• New: tailscale status --json now shows Tags and PrimaryRoutes for Peers. PrimaryRoutes shows whether a HA subnet router is currently the active one.
• New: tailscale status --json | jq .TailnetName will show the name of the tailnet
• New: the optional tailscaled debug server's Prometheus metrics exporter now also includes Go runtime metrics
• New: tailscaled supports a new TS_PERMIT_CERT_UID environment variable containing either a userid or username to allow to fetch Tailscale TLS certificates for the node. This environment variable can be set in /etc/default/tailscaled to permit non-root web servers on the local machine to fetch certs from tailscaled.
• Fixed: send heartbeats less often, saving some battery, matching 1.20 change on mobile platforms.
• Changed: --auth-key and --authkey both work as tailscale up arguments

Windows

• New: MSI installer
• Fixed: Reject SIDs from deleted/invalid security principals to avoid failed to look up user from userid error

Linux

• Fixed: More robust detection of systemd-resolved
• Fixed: Efficiently parse extremely large /proc/net/route files
• Fixed: Be more helpful in suggesting tailscale --operator=USER to use with Taildrop
• Fixed: some broken host DNS configurations are now detected and reported in tailscale status

Synology

• Changed: Add /var/packages/Tailscale/target/bin/tailscale configure-host to restore needed permissions. We recommend adding this as a scheduled task at boot.

v1.20.4: 1.20.4

Compare Source

• Fix DNS lookups via an exit node in many cases
• fix Openresolv /etc/resolv.conf handling
• better handle extremely large /proc/net/route files for very large routers
• fix BGP advertisement with subnet router failover

v1.20.3: 1.20.3

Compare Source

(only released for Synology platforms)

Fix Synology options page https://github.com/tailscale/tailscale/issues/3811

v1.20.2: 1.20.2

Compare Source

• Fix https://github.com/tailscale/tailscale/issues/3762, memory footprint growth in userspace-networking mode
• Fix https://github.com/tailscale/tailscale/issues/2642, userspace-networking will accept a TCP SYN with ECN bits set
• Fix saving resolver list for OpenBSD

v1.20.1: 1.20.1

Compare Source

Fix a potential deadlock in handling the DERPmap.

v1.20.0: 1.20.0

Compare Source

All Platforms

• New: When using an exit node, DNS queries will be forwarded to the exit node for resolution
• New: tailscaled now allows running the outgoing SOCKS5 and HTTP proxies on the same port.
• New: SOCKS5/HTTP proxies now allow connecting via subnet routers & exit nodes when run in userspace-networking mode
• New: More debug metrics available
• New: tailscale ip -1 flag
• New: CLI now lets you select exit node by name
• New: CLI now shows you which nodes are offering exit nodes
• New: CLI now refuses to let you pick an invalid exit node (when connected)
• New: Packet filter now supports matching any IP protocol number when enabled in ACLs (previously only TCP, UDP, ICMP and SCTP)
• New: Added Online boolean to tailscale status --json, made tailscale status show offline nodes
• New: Added tailscale up --json
• Fixed: MagicDNS now works over IPv6 when CGNAT IPv4 is disabled using DisableIPv4: true in ACL
• Fixed: choose a new DERP if the current DERP is removed from the DERPmap
• Fixed: bug fixes, cleanups, log spam reduction

Linux

• Changed: tailscale file cp sends via the local tailscaled now, so it now supports tailscaled running in tun-free, userspace-networking mode (such as on Synology DSM7 unless you enable TUN mode)

Windows

• New: GUI support for running an exit node

macOS

• New: GUI support for running an exit node

iOS

• Changed: Send heartbeats less often, to conserve battery

Android

• New: Talkback support
• New: Menu selection to generate a bug report
• New: "Allow LAN Access" checkbox in Exit Node menu
• Changed: Send heartbeats less often, to conserve battery
• Changed: implement DNS config reporting, no longer require fallback DNS to be configured in admin panel
• Fixed: Report in the UI when connectivity is lost; this functionality was present but broken in prior releases

FreeBSD

• Fixed: Now supports running in a jail (if devd isn't available, it falls back to network status polling mode)

v1.18.2: 1.18.2

Compare Source

Bugfixes

All Platforms

• make exit node selection take effect (almost) immediately
• permit protocols other than TCP+UDP if ACL allows *

Linux

• in DNS DirectManager, allow comments at the end of a line
• don't get stuck waiting for systemd-resolved if we mis-estimated the DNS manager

Synology

• Send & receive Taildrop files. To receive, create a shared folder named "Taildrop" and in Permissions, give the System user tailscale read/write access, then restart Tailscale

v1.18.1

Compare Source

• Linux-only release to fix some regressions on some kernel configs related to our direct use of netlink rather than using the ip command to program routes and policy routing.

v1.18.0: 1.18.0

Compare Source

Platform independent

• Improve UPnP discovery; eero devices now work, allowing a port to be opened for direct connections (also in 1.16.2)
• If unable to upload telemetry, limit amount buffered to 50MB
• Retry more transient DNS errors, instead of passing the failure back to the client
• fix state machine transition regarding expired key extension
• the tailscaled debug server now exports Prometheus metrics at /debug/metrics

Linux

• Support storing Tailscale state using AWS SSM (ex: tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo) (thank you Maxime VISONNEAU)
• use AF_NETLINK messages to configure IP, not the ip command. Set TS_DEBUG_USE_IP_COMMAND environment variable to revert to use of /sbin/ip if this breaks your device.
• if resolvconf wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not resolvconf
• if NetworkManager wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not NetworkManager
• handle /etc/resolv

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.58.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.