v1.4.4

Fixes

• Fix Tailscale not reconnecting to home DERP on network changes (#1310)
• Windows: add firewall rule to allow WireGuard traffic in, to speed up LAN connectivity establishment (#1312)

v1.4.3

Fixes

• wgengine/magicsock: fix DERP reader hang regression during concurrent reads (#1282)
• control/controlclient: avoid crash sending map request with zero node key (#1271)
• net/interfaces: use a uint32_t for ipv4 address on mac, fixes misdetection of some gateways (1c238cd)
• cmd/tailscale: fix IPN message reading stall in tailscale status -web (#1234)
• net/packet: add some more TSMP packet reject reasons and MaybeBroken bit

v1.4.2

Linux bugfixes

• Improve probing of kernel IPv6 support (#1241)
• Clarify the "IPv6 disabled" log message.
• Recommend sudo when tailscale up fails (#1220)
• Revert systemd unit hardening for now, as it causes issues with older systemd versions (#1245)

macOS/iOS bugfixes

• Show magicdns basename as device name in GUIs.

v1.4.1

All platforms

• Fix accidental rate-limiting of connectivity-related debug logs.

Linux

• Allow access to /run with recent systemd versions, so that tailscaled can run iptables.
• Don't attempt to configure IPv6 addresses and routes when IPv6 is disabled on the system.

v1.4.0

User-visible changes

• GUIs now show MagicDNS names in device lists
• MagicDNS now supports accessing accepted shared devices by their name (the FQDN of the owner's name of the device)
• • tailscale status is now more readable
  • sorted by name, not public key
  • shows DNS names
  • endpoints and asterisks around endpoints removed (too spammy); connection state now listed explicitly as idle, direct, or relayed
  • owner of a node shown
  • tx/rx bytes only shown for ever-active peers
• Linux
  • sudo is now required to change state with tailscale up; tailscale status does not require root
  • systemd-notify support; so systemctl status shows a summary of the state

Debuggability

• Tailscale 1.4 nodes now tell each other when they're
  rejecting connections for Shields Up or ACL policy reasons.
• TCP connection failures and timeouts now log why they failed,
  including the local node's perceived state of the peer
  and whether the peer rejected their connection for Shields Up
  or ACL policy reasons.

Optimizations, fixes

• more efficient protocol for talking to the coordination server; uses less bandwidth
• does much less work when idle; improves CPU, bandwidth, battery
• omits advertising ZeroTier interfaces as possible paths to avoid routing loops
• endpoint exchange can now happen between peers without the coordination server involved; adds extra robustness in case of control server outages
• improved DERP relay selection hysteresis to avoid ping-ponging between equidistant regions every 5 minutes
• CPU/bandwidth optimizations to improve throughput on fast networks (initial steps, more coming later)
• Windows
  • update to wintun 0.10 fixing a number of bugs (including WSL2 interop)
• Linux
  • the systemd unit is now more locked down with more security options enabled

Works in progress

• IPv6 support inside the tunnel: Tailscale has used IPv6 (when available) as a transport outside the tunnel for a number of releases, but this release adds support for IPv6 routing and node addresses inside the tunnel. It will be enabled in the future when testing has completed on all platforms.
• tailscaled on Linux can now in Tailscale 1.4 advertise a default route with --advertise-routes=0.0.0.0/0,::/0. Client-side support for selecting which node to use as an "exit node" is a work in progress for a future release.
• cmd/tailscaled now embeds the gVisor "netstack", a userspace networking stack. It's only enabled in --fake mode when --tun=userspace-networking. It's preparation for future versions of Tailscale that don't require root and can do more types of routing on more operating systems without operating system involvement.

v1.2.0

Flagship features

• MagicDNS: Tailscale now runs an embedded DNS server on your machine
  at 100.100.100.100, serving names for the nodes in your
  network. Requests for regular DNS names are forwarded to your
  upstream resolver. Enable and configure it in the admin panel to
  give it a spin.
• Windows: "unattended mode" -- The background Windows service can
  now store all of the authentication state for Tailscale. The result
  is that Tailscale can start on boot without interactive login, and
  the same connection is available to multiple users of the computer.
• Improved ACL editor in the admin panel, with syntax highlighting.

General improvements

• Tailscale CLI enhancements:
  • New "tailscale down" command shuts down Tailscale networking
    without having to stop the Tailscale service. Run "tailscale up"
    to reenable.
  • New "tailscale up --force-reauth" command takes you through the
    sign-in flow again. This makes it easier to switch between
    Tailscale accounts.
  • Improved "tailscale status" output prints stars around the
    currently active tunnel path to peers (if any - idle links may
    show no stars), and provides information about the local machine
    in addition to remote peers.
• Connectivity enhancements: when behind a "hard" NAT and if
  Tailscale is configured to run on a static port, we try to get
  connectivity by probing public-ipv4:static-port. Administrators of
  "hard" NAT devices can create a manual port forward to enable
  connectivity.
• Efficiency improvements:
  • Steady state memory consumption was reduced by lazily configuring
    WireGuard peers on-demand.
  • Significantly reduced the rate of debug logs compared to 1.0,
    resulting in lower disk and CPU utilization.
  • The Tailscale network engine now shuts down most periodic network
    processes when idle. This reduces idle CPU utilization, as well
    as battery consumption on mobile devices.
• New DERP servers in Bangalore (India), Tokyo (Japan), London (UK),
  Dallas and Seattle (USA). Users in those regions will see improved
  latency when using fallback connectivity, as well as faster
  peer-to-peer connection establishment.

OS-specific improvements

• Windows was a particular focus for this release.
  • Use HTTP proxies provided by WPAD/PAC proxy autoconfiguration.
  • Early support for Active Directory authentication to HTTP
    proxies. Note that in this version, Tailscale authenticates as
    the user’s system role, rather than the user principal itself.
  • Tailscale automatically configures the Windows firewall to allow
    inbound Tailscale traffic that is permitted by Tailscale ACLs.
  • Fixed routing loops when a machine is on a network that is also
    exported as a subnet route over Tailscale.
  • Added a small local disk log to help troubleshoot startup issues.
  • Fixed interface MTU configuration that caused intermittent
    connectivity problems to certain destinations.
• Synology NAS
  • Force --netfilter-mode=off, since Synology does not support
    advanced firewall configuration. This allows using Tailscale on
    Synology devices for access to the device itself, but not as a
    subnet router.
• iOS and Android
  • Significantly less battery is used in idle mode.

v1.0.3

v1.0.3

• Connectivity now solid in many challenging environments; ready to call it "1.0"
• NAT traversal connectivity fixes
• bug fixes, reliability, more tests, reduced CPU usage, better logging
• support for on-demand wireguard configuration of peers; currently only used on iOS to reduce memory usage
• Windows:
  • removing staging binary; debug options are now in shift-right-click menu options
• Linux:
  • switch iptables / ip rule number 88 to 52 (52 is above "TS" on QWERTY keyboard)
  • --accept-dns flag to tailscaled
• CLI now available on Windows and macOS (in addition to Linux)
  • Mac: /Applications/Tailscale.app/Contents/MacOS/Tailscale status
  • Windows: "c:\Program Files (x86)\Tailscale IPN\tailscale.exe" status
  • tailscale status --active limits output to only active peers
  • tailscale status asterisks show which route is active, even if it's a DERP relay (sfo, nyc, etc)

v0.100.0-153

See https://tailscale.com/blog/tailscale-v0.100/

v0.99.1

Linux

• Fixed tailscaled crash when interacting with certain older versions of iproute2 (fixes #434)

v0.99

Tailscale Backend

• A new "Shields Up" mode offers a simple complement to ACLs. When a machine has shields up, it can connect to other Tailscale nodes, but all incoming connections are blocked.
• The ACL subsystem supports specifying CIDR-style network prefixes as destinations. This makes it much simpler to create ACLs for subnet routers.
• Tailscale now functions correctly in IPv6-only environments (e.g. a VPS lacking IPv4 internet access). Connectivity to IPv4-only hosts is provided through DERP.

Linux

• Tailscale can make outbound connections through a SOCKS proxy, if such a proxy is specified in the all_proxy environment variable.
• For advanced uses, system administrators can control the degree of automatic firewall configuration, with the --netfilter-mode flag to tailscale up. Setting this flag to "off" disables all management of netfilter. "nodivert" creates and manages Tailscale sub-chains, but leaves the calling of those chains up to the administrator. The default is "on", meaning full management of Tailscale's rules.
  • Note that if you set --netfilter-mode to "off" or "nodivert", it is your responsibility to configure the firewall securely for Tailscale traffic. We recommend using the rules installed by --netfilter-mode=on as a starting point.
• It is now possible to disable source NAT on subnet route traffic, with the --snat-subnet-routes=false flag on tailscale up. This allows destinations on subnets to see the Tailscale IP of the client, rather than that of the subnet router, but requires additional network configuration for return traffic.
• tailscale up warns if --advertise-routes is requested but IP forwarding is disabled on the system.
• The routing and firewall rules configured by Tailscale are now compatible with a wider variety of systems.
• Subnet routing now works even in the presence of conflicting local routes (for example, being on the same LAN that another machine is advertising as a subnet route).
• Experimental: forwarding all traffic to a single other Tailscale node should now be possible, with --advertise-routes=0.0.0.0/0. Please file bugs if you encounter any.
• tailscale netcheck supports --format=json for machine-readable output (format not guaranteed to be stable), and --every=DURATION for periodic probing of network conditions.

Windows

• The system tray icon now matches the Tailscale logo, and works across light and dark modes.
• A new "Shields up" checkbox. When a machine has shields up, it can connect to other Tailscale nodes, but all incoming connections are blocked.
• Reduced memory usage

macOS

• A new "Shields up" checkbox. When a machine has shields up, it can connect to other Tailscale nodes, but all incoming connections are blocked.
• Reduced memory usage

iOS

• Various stability and memory usage improvements.

A complete list of changes can be found here: v0.98.0...v0.99.0