Tailscale Release Notes

Tailscale container image v1.94.1

A new release of the Tailscale container image is available. You can download it from Docker Hub or from our GitHub packages repository.

• OAuth and workload identity federation support has been added for containers.

Tailscale Kubernetes Operator v1.94.1

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

• The Egress proxy can now send traffic to Tailscale service VIPs.
• Use Kubenetes API server proxy audit logging (beta) to record Kubernetes API events on your cluster, in addition to or instead of entire recordings, that pass through your Kubernetes Operator API server proxy.
• Setting container resources for the Tailscale container will no longer result in an invalid value error for “1Mi.”

Tailscale tsrecorder v1.94.1

A new release of the Tailscale tsrecorder is available. You can download it from Docker Hub.

• Note: This version contains no changes except for library updates.

Tailscale v1.94.1

Linux

Note: 1.94.0 was a release candidate intended for testing only.

All Platforms

• tailscaled_home_derp_region_id client metrics are available.
• tailscaled_peer_relay_forwarded_packets_total and tailscaled_peer_relay_forwarded_bytes_total client metrics are available for Tailscale Peer Relays.
• Identity tokens are automatically generated for workload identities.
• --audience flag added to tailscale up command to support auto generation of ID tokens for workload identity.
• tsnet nodes can host Tailscale Services.
• The tailscale lock status -json command returns tailnet key authority (TKA) data in a stable format.
• Tailscale Peer Relays deliver improved throughput through monotonic time comparison optimizations and reduced lock contention.

Linux

• Custom DERP servers support Google Cloud Platform (GCP) Certificate Manager.
• Tailscale SSH authentication, when successful, results in LOGIN audit messages being sent to the kernel audit subsystem.
• Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket option is supported on multi-core systems.
• Tailscale Peer Relay server handshake transmission is guarded against routing loops over Tailscale.
• MagicDNS always resolves when using resolve.conf without a DNS manager.

macOS

• AuthBrowser.macos system policy sets a preferred browser for opening automatic authentication URLs.
• HideDockIcon system policy determines if the Tailscale Dock icon persists after all Tailscale windows close.
• Install and automatically update to release candidate versions of the client in the About section, Release Channel drop-down.
• DNS related health warnings no longer display when Tailscale DNS is disabled.
• tssentinelId command injection vulnerability has been removed. This fix addresses a security vulnerability described in TS-2026-001.
• Ping view is Tailscale Peer Relay aware.

iOS

• Ping view is Tailscale Peer Relay aware.

tvOS

• Use Tailscale Subnets toggle is added in Subnet Routing Settings.
• Ping view is Tailscale Peer Relay aware.

Android

• Ping view is Tailscale Peer Relay aware.