1.18.2

Bugfixes

All Platforms

• make exit node selection take effect (almost) immediately
• permit protocols other than TCP+UDP if ACL allows *

Linux

• in DNS DirectManager, allow comments at the end of a line
• don't get stuck waiting for systemd-resolved if we mis-estimated the DNS manager

Synology

• Send & receive Taildrop files. To receive, create a shared folder named "Taildrop" and in Permissions, give the System user tailscale read/write access, then restart Tailscale

v1.18.1

• Linux-only release to fix some regressions on some kernel configs related to our direct use of netlink rather than using the ip command to program routes and policy routing.

1.18.0

Platform independent

• Improve UPnP discovery; eero devices now work, allowing a port to be opened for direct connections (also in 1.16.2)
• If unable to upload telemetry, limit amount buffered to 50MB
• Retry more transient DNS errors, instead of passing the failure back to the client
• fix state machine transition regarding expired key extension
• the tailscaled debug server now exports Prometheus metrics at /debug/metrics

Linux

• Support storing Tailscale state using AWS SSM (ex: tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo) (thank you Maxime VISONNEAU)
• use AF_NETLINK messages to configure IP, not the ip command. Set TS_DEBUG_USE_IP_COMMAND environment variable to revert to use of /sbin/ip if this breaks your device.
• if resolvconf wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not resolvconf
• if NetworkManager wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not NetworkManager
• handle /etc/resolv.conf being a bind mount into a container, such that we cannot rename() it.
• work around Ubuntu 18.04 setLinkDomain length limit by omitting reverse lookup information
• make /etc/resolv.conf parse to the end of the comment section, not use the first match it finds

iOS

• on iOS 15+, where Network Extensions have more memory available, allow the same number of DNS-over-HTTPS requests in flight as other platforms

Synology

• only use AmbientCaps on DSM7+
• add an exit node enable checkbox in the web login form

1.16.2

• Fix UPnP discovery for certain Wi-Fi routers, notably eero #3197
• Limit log buffer size on disk, for example if uploads are blocked

1.16.1

General improvements

• Resolve connectivity issue where a DISCO key was assumed to map to one node when in reality it could be any of several nodes.

Platform specific

iOS

• on iOS15 which allows sufficient memory for it, allow 1000 DNS-over-HTTPS requests in flight like other platforms use.
• filter out a second variant of WAN DNS-SD lookups, to avoid waking the radio unnecessarily

Synology

• don't try to delete legacy netfilter rules, they don't exist on Synology
• only use AmbientCaps on DSM7+

1.16.0

All Platforms

• Support storage of node state as a Kubernetes secret.
• tailscale up --authkey=file:/path/to/secret support
• tailscale up --qr for QR codes
• tailscaled in userspace-networking mode can now run an HTTP proxy server (in addition to the prior SOCKS5 proxy server support)
• no longer need the while tailscale up; do sleep 0.1; done loops in Docker startup scripts.
• CPU/memory profiling support in tailscale debug
• bake in LetsEncrypt's ISRG Root X1 root (also in 1.14.6)

Linux

• Support containers with !CAP_NET_RAW and !CAP_NET_ADMIN (like CircleCI runners)
• service (portlist) scanning optimized; uses much less CPU on busy servers

Windows

• Move state to C:\ProgramData (also in 1.14.4)

macOS

• Fix super rare Wireguard packet loop network flood when using a DNS server behind a subnet router, when a macOS device resumes from sleep and the network changes (also iOS, but triggers less there). Fixes #1526 (also in 1.14.6)

iOS

• Turn the radio on less often to improve battery performance

Android

• support Taildrop on older Android releases
• Turn the radio on less often to improve battery performance

1.14.6

• include LetsEncrypt's ISRG Root X1 root as an alternate to try if the platform roots fail
• if tailscale cert fails because it needs to be run as root, say so.
• avoid looping packets in tstun, believed to fix #1526
• allows SOCKS5 proxy for --tun=userspace-networking to dial the HTTPS domain name of the Tailnet
• ensure state directory is set to perm 0700.
• ignore ipsec link monitor events for iOS, avoid waking the system

1.14.5

Not released publicly.

1.14.4

Windows

• move state files from C:\Windows to C:\ProgramData, to better handle Windows Updates

Synology

• fix segfaults shortly after starting (#2733,)

1.14.3

• tailscale up will wait for the socket to tailscaled to be created, not exit with an error. It should no longer be necessary to run it in a loop.
• fix default route lookup on Windows; fixes #2707
• fix crash in TCP forwarding with userspace-networking #2658

Note: v1.14.1 and v1.14.2 were never released.