惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
Spread Privacy
Spread Privacy
T
Threatpost
C
Cisco Blogs
P
Palo Alto Networks Blog
AI
AI
Cyberwarzone
Cyberwarzone
NISL@THU
NISL@THU
P
Privacy & Cybersecurity Law Blog
G
GRAHAM CLULEY
Simon Willison's Weblog
Simon Willison's Weblog
T
Tor Project blog
Latest news
Latest news
AWS News Blog
AWS News Blog
D
Docker
S
SegmentFault 最新的问题
博客园 - 聂微东
WordPress大学
WordPress大学
Vercel News
Vercel News
S
Securelist
爱范儿
爱范儿
J
Java Code Geeks
Know Your Adversary
Know Your Adversary
S
Schneier on Security
Hugging Face - Blog
Hugging Face - Blog
F
Fortinet All Blogs
Last Week in AI
Last Week in AI
D
DataBreaches.Net
宝玉的分享
宝玉的分享
D
Darknet – Hacking Tools, Hacker News & Cyber Security
MongoDB | Blog
MongoDB | Blog
Engineering at Meta
Engineering at Meta
K
Kaspersky official blog
美团技术团队
博客园 - 叶小钗
阮一峰的网络日志
阮一峰的网络日志
量子位
博客园_首页
Attack and Defense Labs
Attack and Defense Labs
S
Secure Thoughts
Google Online Security Blog
Google Online Security Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
腾讯CDC
T
Threat Research - Cisco Blogs
雷峰网
雷峰网
有赞技术团队
有赞技术团队
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
S
Security Affairs

Blog on Tailscale

Audit AI agent requests, logs, and access with Aperture A no-nonsense explainer to Agentic AI Database, Kubernetes, and SSH access without passwords | Border0 + Tailscale Tailscale adds log streaming for Azure Blob Storage Build a flexible AI stack with Aperture More Tailscale tricks for your jailbroken Kindle Redundancy only matters if you can reach it Fixing my ridiculous fridge with a tiny Funnel site Canada’s Bill C-22 and the security cost of collecting more data Introducing: Aperture CLI Five TailscaleUp sessions I’d attend if I didn’t work here Bambuddy: self-hosted 3D printing beyond the vendor cloud Fixing Headlamp OIDC login with Tailscale and tsidp How Cleric uses tsnet to securely automate software operations Tailscale + Paperless-ngx: scan everything, expose nothing Aperture, now in beta, adds the controls teams need for AI agents This month at Tailscale for April 2026 Meet tailscale-rs, our new Rust library preview Pricing v4: more value, more simply Being the adult in the room The hidden costs of “good enough” network access Escaping the notch: Tailscale's new macOS home
This month at Tailscale for March 2026
Kevin Purdy · 2026-03-28 · via Blog on Tailscale

Here's a rundown of what's changed in Tailscale's software since our last blog update in late January 2026. There are changes to clients, integrations for new Tailscale features, and other updates. For instructions on how to update to the latest version, visit our update guide.

Changes

Tailscale Winter Update changes

Tailscale added a number of new features during Winter Update Week in late Feburary 2026, including:

Windowed UI on macOS

Starting with version 1.96.2, the macOS client now includes a windowed interface, providing easier access to useful tools, network data, and tools like Taildrop and Tailscale ping.

Client updates

v1.96.4

These notable changes are inclusive of all updates from versions 1.94.1 to 1.96.4. For detailed notes on each release, see our changelog.

All platforms

  • Fixed: Ping view is Tailscale Peer Relay aware (all platforms)
  • Changed: Tailscale Services virtual IPs are now automatically accepted by clients across all platforms regardless of the status of the --accept-routes feature.
  • Changed: Tailscale Peer Relays deliver improved throughput through monotonic time comparison optimizations and reduced lock contention.
  • Changed: The tailscale lock status -json command returns tailnet key authority (TKA) data in a stable format.
  • New: --audience flag added to tailscale up command to support auto generation of ID tokens for workload identity.
  • New: Identity tokens are automatically generated for workload identities.
  • New: tailscaled_peer_relay_forwarded_packets_total and tailscaled_peer_relay_forwarded_bytes_total client metrics are available for Tailscale Peer Relays.
  • New: tailscaled_home_derp_region_id client metrics are available.
  • Fixed: Memory leak caused by high network map response rates is resolved.
  • Changed: For 1.96.x, Go is updated from version 1.25 to 1.26.tailscale dns query|status command supports --json flag to return JSON output.
  • New: tailscale wait [flags] command waits for Tailscale resources to become available for binding.
  • New: tailscale ip command supports --assert=<specific-ip-address> flag to assert that one or more of the node's IP addresses matches the specified IP address.
  • New: tailscale version —track and tailscale update --track support release-candidate flag to check for and update to release candidate builds.
  • Fixed: The AuthKey system policy applies only when a user is not in a logged in state.
  • Fixed: UPnP routes as expected during long lived port mapping sessions scenarios, including hard NAT.

Linux

  • An issue on forks of Linux caused by fallback-on-ENOSYS logic is resolved.
  • An issue that could cause a segmentation violation during startup on MIPS devices is resolved.
  • New: Launch the systray application on startup using autostart file with the tailscale configure systray --enable-startup=freedesktop command.
  • Changed: Scaling of Tailscale Peer Relays UDP sockets is gated by container-aware GOMAXPROCS defaults.
  • Fixed: Firewall rules created on Linux platforms correctly mark their traffic, avoiding reverse path filtering dropping connections and producing health warnings and risk prompts.
  • Fixed: OpenWrt versions 25.12.0 or later using apk as a package manager supports Tailscale updates.
  • New: Custom DERP servers support Google Cloud Platform (GCP) Certificate Manager.
  • New: Tailscale SSH authentication, when successful, results in LOGIN audit messages being sent to the kernel audit subsystem.
  • Changed: Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket option is supported on multi-core systems.
  • Fixed: Tailscale Peer Relay server handshake transmission is guarded against routing loops over Tailscale.
  • Fixed: MagicDNS always resolves when using resolve.conf without a DNS manager.

macOS

  • New: AuthBrowser.macos system policy sets a preferred browser for opening automatic authentication URLs.
  • New: HideDockIcon system policy determines if the Tailscale Dock icon persists after all Tailscale windows close.
  • New: Install and automatically update to release candidate versions of the client in the About section, Release Channel drop-down.
  • Fixed: DNS related health warnings no longer display when Tailscale DNS is disabled.
  • Fixed: tssentinelId command injection vulnerability has been removed. This fix addresses a security vulnerability described in TS-2026-001.
  • Fixed: Ping view is Tailscale Peer Relay aware.Windowed UI mode for macOS is generally available.
  • New: Double click an account in the Accounts section to switch to that account.
  • New: A progress dialog indicates Tailscale is waiting on the browser to complete reauthentication.
  • Fixed: The open source variant of Tailscale on macOS sets the node:osVersion attribute.
  • Fixed: The Taildrop Send File action and shortcut do not transmit empty files on macOS Tahoe (version 26) or later.
  • Fixed: Tailscale data directories for the macOS standalone version are excluded from Time Machine backups.
  • Fixed: An issue that required a machine reboot after installing a Tailscale update is resolved.

Windows

  • Fixed: DNS resolution issue caused by NRPT rule formatting is resolved.

iOS

  • Changed: iOS bug report ID displays in its entirety instead of being truncated.
  • Fixed: The Taildrop Send File action and shortcut do not transmit empty files on iOS version 26 or later.

Android

  • Fixed: An issue causing a deadlock when disconnecting from a tailnet is resolved.

tvOS

  • New: Use Tailscale Subnets toggle is added in Subnet Routing Settings.

Synology

  • Fixed: An issue on forks of Synology Linux cause by fallback-on-ENOSYS logic is resolved.

Workload identiy federation

Container, Kubernetes, and tsrecorder updates

Container image v1.94.1

Kubernetes operator v1.94.2

  • Fixed: Configuring a single invalid Tailscale FQDN for an egress will no longer cause the egress to crash. It will instead log the error and continuing serving traffic.
  • New: The Egress proxy can now send traffic to Tailscale service VIPs.
  • New: Use Kubenetes API server proxy audit logging (beta) to record Kubernetes API events on your cluster, in addition to or instead of entire recordings, that pass through your Kubernetes Operator API server proxy.
  • Fixed: In high availability (HA) mode, the write replica no longer serves stale TLS certificates after renewal.
  • Fixed: Setting container resources for the Tailscale container will no longer result in an invalid value error for “1Mi.”

tsrecorder v1.94.1

This version contains no changes except for library updates.

Those are the highlights for recent weeks. If you have questions or feedback, we're here to help. Thank you for using Tailscale.