v1.74.0

Please refer to the changelog available at https://tailscale.com/changelog

v1.72.1

Please refer to the changelog available at https://tailscale.com/changelog#2024-08-22.

v1.72.0

Please refer to the changelog available at https://tailscale.com/changelog#2024-08-19.

v1.70.0

All platforms

• New: Restrict recommended and automatically selected exit nodes using the new AllowedSuggestedExitNodes system policy. Applies only to platforms that support system policies.
• Changed: Improved NAT traversal for some uncommon scenarios.
• Changed: Optimized sending firewall rules to clients more efficiently.
• Fixed: Exit node suggestion CLI command now prints the hostname (which you can use with the tailscale set command).
• Fixed: Taildrive share paths configured through the CLI resolve relative to where you run the tailscale command.

Linux

• Fixed: Switching from unstable to stable tracks using the tailscale update command now works correctly.

Windows

• New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• New: The new AllowedSuggestedExitNodes system policy restricts which exit nodes Tailscale recommends or automatically selects.
• Fixed: DNS leak issue.
• Fixed: Switching from unstable to stable tracks using the tailscale update command now works correctly.
• Fixed: Taildrive server no longer starts unnecessarily when no drives are configured.

macOS

Note: As previously announced, Tailscale v1.70 is the last version to support macOS 10.15 Catalina. macOS 10.15 is no longer supported by Apple and no longer receives security updates. Users still running macOS 10.15 should update to a newer version of macOS to continue receiving security updates and new features.

• New: Toggle Tailscale DNS from Siri or the Shortcuts app.
• New: Receive health notifications in the client menu on macOS to inform you about lack of internet connectivity, firewalls blocking Tailscale, misconfiguration issues, and other issues. Health issues that affect connectivity also change the Tailscale icon in the system menubar to show an exclamation mark.
• New: On MacBooks with a notch in the display, a notification window will now appear if the Tailscale icon is hidden behind the notch due to too many menubar items.
• New: The Tailscale client now warns you when the built-in macOS content filter (Screen Time) prevents Tailscale from connecting.
• New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• Changed: The exit node picker no longer presents exit node suggestions if the organization enforces always using the suggested exit node using the ExitNodeID system policy.
• Fixed: Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
• Fixed: Taildrive server no longer starts unnecessarily when no drives are configured.
• Fixed: Increased the reliability of the Install Updates Automatically setting.

iOS

• New: Toggle Tailscale DNS from Siri or the Shortcuts app.
• New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• Fixed: wireguard-go memory pool deadlock issue is resolved.
• Fixed: Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
• Fixed: User interface no longer flickers when selecting an exit node.

tvOS

• New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• Fixed: wireguard-go memory pool deadlock issue is resolved.
• Fixed: User interface no longer flickers when selecting an exit node.

Android

• New: Access ping information and connection status by long-pressing on a device in the devices list and selecting Ping.
• New: Use split tunneling to force or exclude app traffic through your tailnet.
• Fixed: wireguard-go memory pool deadlock issue is resolved.

v1.68.2

All Platforms

• Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes signed by the same pre-signed reusable auth key.

macOS, iOS

• Changed: Wake from sleep reliability is improved for re-connections and transitions between networks.

v1.68.1

All Platforms

• Fixed: 4via6 subnet router advertisement works as expected.

Linux

• Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected.

v1.68.0

All Platforms

• Changed: Build Tailscale with Go 1.22.4
• New: Auto-updates are allowed in containers, but ignore the tailnet-wide default
• New: Apply auto-updates even if the node is down or disconnected from the coordination server.
• New: tailscale lock status now prints the node's signature.

Windows

• Changed: The exe installer no longer has the ability to automatically download MSI packages for Windows 7 and Windows 8. See the v1.42.0 changelog for our initial end of life annoucement.

macOS

• New: The Standalone variant of Tailscale can now install the Tailscale CLI in /usr/local/bin for quicker and easier access.
• New: Tailscale now detects any attempt to use DHCP Option 121 to misroute traffic meant for the VPN (TunnelVision attack), and presents a warning to the user. System administrators can disable this warning with a system policy.
• New: The Standalone variant of the client now supports notifications when a file is received using Taildrop.
• Changed: Tailscale now starts more reliably if another VPN app was running when Tailscale was enabled.
• Changed: The .pkg installer now terminates Tailscale and the VPN extension before proceeding with the installation.
• Fixed: Tailscale now properly detects any copy of TunnelBear installed on the Mac, and warns the user about incompatibility.
• Fixed: Resolved an issue that could have caused “Using Exit Node” to incorrectly appear in the app menu before completing onboarding, upon first app launch.

iOS

• Changed: Battery life is optimized by offloading DNS resolution to iOS in more cases.
• Changed: Tailscale now starts more reliably if another VPN app was running when Tailscale was enabled.
• Fixed: Opening the bug report view no longer copies the bug report ID to the Clipboard automatically.
• Fixed: The Reauthenticate button within in-app key expiry notifications now works properly.
• Fixed: Minor tweaks to UI colors when dark mode is enabled.

tvOS

• Changed: Tailscale now starts more reliably if another VPN app was running when Tailscale was enabled.
• Fixed: The Reauthenticate button within in-app key expiry notifications now works properly.

Android

• Fixed: Exit node selection. If the exit node location is available, we’ll now show the Country and City instead of the raw node name on the home screen
• Changed: The on-off switch state better matches the VPN state
• Fixed: Running as an exit node and using an exit node are now mutually exclusive
• Changed: Disconnect notifications are now background notifications and navigation from notifications is improved
• Fixed: Crash when running multiple VPN applications
• Changed: MDM support for forced exit nodes and rendering of the organization name
• Changed: Tailscale will now start automatically after the first login

v1.66.4

All platforms

• Fixed: Restored UDP connectivity through Mullvad exit nodes.

Linux

• Changed: Stateful filtering is now off by default. Stateful filtering was introduced in 1.66.0 as a mitigation for a vulnerability described in TS-2024-005, and inadvertently broke DNS resolution from containers running on the host. Most vulnerable setups are protected by other mitigations already, except when autogroup:danger-all is used in ACLs.

v1.66.3

All platforms

• Fixed: Login URLs did not always appear in the console when running tailscale up.

Android

• Changed: Reintroduced the Quick Settings title that v1.66.0 temporarily removed.
• Changed: Improved the VPN service connection logic, especially when rebooting the device with Always-On VPN enabled.
• Changed: The persistent VPN status notification now informs the user with a muted icon when the VPN is disconnected. VPN status notifications can be disabled in the system notification settings.
• Fixed: The "Enable" button in the exit node selector banner now renders with the correct background color.

Kubernetes operator

• Breaking change: Starting with v1.66, the Kubernetes operator must always run the same or later version as the proxies it manages.
• New: Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names.
• New: Expose tailnet services that use Tailscale HTTPS to cluster workloads. Refer to #11019.
• New: Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names. Refer to #11019.
• New: Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD.
  Refer to ProxyClass API.
• New: Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD. Note that the tailscaled metrics are unstable and will likely change in the future. Refer to ProxyClass API.
• New: Configure labels for the Kubernetes operator Pods with Helm chart values. Refer to Helm chart values.
• New: Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass. Refer to ProxyClass API.
• Fixed: Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #11867.

Containers

• Fixed: Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is pre-created for the tailscaled state. Refer to #11326.
• Fixed: Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right permissions to perform actions against the tailscaled state Secret. Refer to #11326.

v1.66.2

An internal release which was not distributed