This Month’s Tailscale Updates

This month’s updates include all the features announced during Tailscale’s Fall Update Week, an updated GitHub Action, plus other improvements. For instructions on how to update to the latest version, please visit our update guide.

Tailscale GitHub Action v4.0.0

Tailscale’s GitHub Action has been completely rewritten in TypeScript and offers a number of improvements:

• Supports a ping parameter to verify tailnet connections.
• Can log out ephemeral nodes after CI runs.
• Improved logging efficiency.

Tailscale Services (Beta)

Tailscale Services allows for the creation and management of dedicated applications and services on your tailnet without tying them to any single device. Read more on our blog.

Tailscale Peer Relays (Beta)

Tailscale Peer Relays enable you to control your own UDP-based relays, providing high-performance traffic routing inside hard firewalls and cloud infrastructure. Learn more on the blog.

Multiple Tailnets (Alpha)

Administrators can now create multiple tailnets within one organization, using a common identity provider and domain. This feature supports sandboxing, staging, and other use cases. Details are available on the blog.

Workload Identity Federation (Beta)

Workload identity federation simplifies the creation of agents and workloads in infrastructure and CI/CD environments by utilizing Tailscale identity data instead of managing keys and secrets. Find out more on the blog.

Visual Policy Editor (General Availability)

The visual policy editor, which enables creating and editing policies using browser-based controls and search functionality, is now generally available.

Tailnet Name Types

Updates have been made to Tailscale’s admin console to support new naming tools and better handle multiple tailnets:

• Display Name: An optional field allowing you to assign a custom display name to your tailnet that appears in the admin console, client UI, and CLI instead of your domain or email address.
• Tailnet ID: Use this in the tailnetId field for Tailscale API path parameters instead of your organization name.
• Legacy ID: Replaces the Organization field in the console. The Organization field will continue to display for existing tailnets but will not be shown for newly created ones.

Security and Stability Improvements (Tailscale v1.88.4 to v1.90.5)

We released a series of updates and fixes to improve security and stability across all platforms. Highlights include:

All Platforms

• Resolved a deadlock issue in the client when checking for network availability.
• tailscaled now shuts down as expected without panic.
• Clients can use configured DNS resolvers for all domains—even when using an exit node—via the nameserver settings in the DNS page of the admin console.
• Node keys renew seamlessly, maintaining existing connections while re-authenticating.

Linux

• Tailscale SSH no longer experiences a 10-second hang when connecting to tsrecorder (affecting tailnets using Tailscale SSH recording).
• tailscaled no longer sporadically panics when a Trusted Platform Module (TPM) device is present.
• tailscaled starts up properly in no-router configuration environments.
• An iptables regression on non-amd64/arm64 platforms has been resolved, allowing the client to start properly.
• Running on devices with TPM 1.x no longer causes the daemon to fail.
• Node key sealing is now generally available (GA) and enabled by default. See Secure node state storage for details.

Windows

• tailscaled no longer sporadically panics when a TPM device is present.
• Node key sealing is GA and enabled by default. More info at Secure node state storage.

macOS

• Tailscale dock icon now closes as expected when the client is not using the windowed UI (beta).
• A “Hide Dock Icon” checkbox in Settings lets you remove the Tailscale icon from the macOS dock when the client window is closed.
• The tailscale drive CLI command for sharing Taildrive directories is no longer available; use the client GUI instead.
• Node key sealing is GA and enabled by default. More information available at Secure node state storage.
• Exit node selection using the macOS Shortcuts app works as expected.
• Account displays via the macOS menu bar icon load correctly.
• Client user preferences for automatic/recommended exit node selection are now remembered.

iOS

• Exit node selection using the iOS Shortcuts app works as expected.
• Client user preferences for automatic/recommended exit node selection are remembered correctly.

Android

• The client is able to establish direct connections as expected.

WASM

• The JS/WASM client used by tsconnect no longer crashes unexpectedly.

FreeBSD

• tailscaled starts up as expected in no-router configuration environments.

OpenBSD

• tailscaled starts up as expected in no-router configuration environments.

All fixes and changes are available in the current stable release, v1.90.5.

Container Image v1.90.5

This container image version contains no functional changes except for library updates.

Kubernetes Operator v1.90.5

• DNSConfig nameserver now supports Pods with IPv6 addresses and serves AAAA records.
• Support added for specifying replica count for high-availability deployment.
• Support added for specifying pod tolerations in DNSConfig nameserver.
• ProxyClass now supports the dnsConfig and dnsPolicy fields for refined DNS specifications.
• Reconciler logs are now sent to the Tailscale control plane alongside core client logs. This can be disabled by setting the environment variable TS_NO_LOGS_NO_SUPPORT=true in the operator deployment.

tsrecorder v1.90.5

• Updated web interface with improved search, filtering, and enhanced design.
• kubectl exec sessions record as expected.
• Cached recordings on large datasets no longer fail if the caching process takes longer than one minute.
• Recordings are no longer stopped prematurely when a session exceeds one minute.

Thank you for using Tailscale. We remain committed to delivering continuous improvements for security, stability, and usability across all platforms.

https://tailscale.com/blog/october-25-product-update