This release is exclusively for Linux platforms and the standalone variant of the macOS client. It is not available for other platforms.
Linux
tailscale set command flags --netfilter-mode, --snat-subnet-routes, and --stateful-filtering are added.
Resolved issues with nftables rules for stateful filtering, introduced in v1.66.0.
macOS
A version mismatch warning no longer displays when upgrading, if no mismatch is detected.
v1.66.0
We recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements.
All platforms
Implemented client-side quarantining for shared-in exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.
Linux
Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for subnet routers and exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.
Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false command.
Use tab completion to type the first few letters of a Tailscale CLI command, flag, or arguments, followed by the tab key to complete the item being typed. Set up tab completion by using the tailscale completion command.
Use the tailscale exit-node suggest command to automatically pick an available exit node that is likely to perform best.
Site-to-site networking now also requires --stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false.
macOS
View a suggested exit node in the Exit Node picker when available.
Generate a macOS Configuration Report .txt file from the Bug Report view to help the Tailscale support team diagnose issues.
Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
iOS
See direct vs. relayed connections in the Ping view.
View a suggested exit node in the Exit Node picker when available.
Use auth keys to log in without using the browser.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the gomod group with 4 updates in the / directory: github.com/prometheus/client_golang, golang.org/x/crypto, golang.org/x/oauth2 and tailscale.com.
Updates
github.com/prometheus/client_golang
from 1.19.0 to 1.19.1Release notes
Sourced from github.com/prometheus/client_golang's releases.
Changelog
Sourced from github.com/prometheus/client_golang's changelog.
Commits
6e3f4b1
Cut 1.19.1 (#1494)cad1bfa
Merge pull request #1454 from prometheus/small-nits0aa8c9f
Rephrase incompatibility with common v0.48.0Updates
golang.org/x/crypto
from 0.21.0 to 0.23.0Commits
905d78a
go.mod: update golang.org/x dependenciesebb717d
ssh: validate key type in SSH_MSG_USERAUTH_PK_OK response0da2a6a
openpgp: fix function name in comment5defcc1
sha3: fix Sum results for SHAKE functions on s390xd042a39
go.mod: update golang.org/x dependenciesb92bf94
ssh: respect MaxAuthTries also for "none" auth attempts6f79b5a
ssh: add server side multi-step authentication8d0d405
x/crypto/chacha20: cleanup chacha_ppc64le.sb91329d
all: remove redundant words in comments and fix some typosUpdates
golang.org/x/oauth2
from 0.18.0 to 0.20.0Commits
84cb9f7
oauth2: fix typo in comment4b7f0bd
go.mod: update cloud.google.com/go/compute/metadata dependencye11eea8
microsoft: added DeviceAuthURL to AzureADEndpointd0e617c
google: add Credentials.UniverseDomainProvider3c9c1f6
oauth2/google: fix the logic of sts 0 value of expires_in5a05c65
oauth2/google: fix remove content-type header from idms get requests3a6776a
appengine: drop obsolete code for AppEngine envs <=Go 1.11Updates
tailscale.com
from 1.62.1 to 1.66.1Release notes
Sourced from tailscale.com's releases.
... (truncated)
Commits
88e23b6
VERSION.txt: this is v1.66.1d77499e
wgengine/router: print Docker warning when stateful filtering is enabledd904990
util/linuxfw: fix table name in DelStatefulRuleb10ee74
cmd/tailscale: add missing set flags for linux60d8965
util/linuxfw: fix stateful packet filtering in nftables modee2a0fc0
VERSION.txt: this is v1.66.08130656
api.md: remove extraneous commas in json examples6f4a1dc
ipn/ipnlocal: fix another read of keyExpired outside mutexe968b0e
cmd/tailscale,controlclient,ipnlocal: fix 'up', deflake tests moree5ef358
ipn/ipnlocal: fix read of keyExpired outside mutexDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show