This release is exclusively for Linux platforms and the standalone variant of the macOS client. It is not available for other platforms.
Linux
tailscale set command flags --netfilter-mode, --snat-subnet-routes, and --stateful-filtering are added.
Resolved issues with nftables rules for stateful filtering, introduced in v1.66.0.
macOS
A version mismatch warning no longer displays when upgrading, if no mismatch is detected.
v1.66.0
We recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements.
All platforms
Implemented client-side quarantining for shared-in exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.
Linux
Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for subnet routers and exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.
Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false command.
Use tab completion to type the first few letters of a Tailscale CLI command, flag, or arguments, followed by the tab key to complete the item being typed. Set up tab completion by using the tailscale completion command.
Use the tailscale exit-node suggest command to automatically pick an available exit node that is likely to perform best.
Site-to-site networking now also requires --stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false.
macOS
View a suggested exit node in the Exit Node picker when available.
Generate a macOS Configuration Report .txt file from the Bug Report view to help the Tailscale support team diagnose issues.
Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
iOS
See direct vs. relayed connections in the Ping view.
View a suggested exit node in the Exit Node picker when available.
Use auth keys to log in without using the browser.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
dependabot[bot]
commented
4 months ago
Bumps the gomod group with 4 updates in the / directory: github.com/prometheus/client_golang, golang.org/x/crypto, golang.org/x/oauth2 and tailscale.com.
Updates
github.com/prometheus/client_golangfrom 1.19.0 to 1.19.1Release notes
Sourced from github.com/prometheus/client_golang's releases.
Changelog
Sourced from github.com/prometheus/client_golang's changelog.
Commits
6e3f4b1Cut 1.19.1 (#1494)cad1bfaMerge pull request #1454 from prometheus/small-nits0aa8c9fRephrase incompatibility with common v0.48.0Updates
golang.org/x/cryptofrom 0.21.0 to 0.23.0Commits
905d78ago.mod: update golang.org/x dependenciesebb717dssh: validate key type in SSH_MSG_USERAUTH_PK_OK response0da2a6aopenpgp: fix function name in comment5defcc1sha3: fix Sum results for SHAKE functions on s390xd042a39go.mod: update golang.org/x dependenciesb92bf94ssh: respect MaxAuthTries also for "none" auth attempts6f79b5assh: add server side multi-step authentication8d0d405x/crypto/chacha20: cleanup chacha_ppc64le.sb91329dall: remove redundant words in comments and fix some typosUpdates
golang.org/x/oauth2from 0.18.0 to 0.20.0Commits
84cb9f7oauth2: fix typo in comment4b7f0bdgo.mod: update cloud.google.com/go/compute/metadata dependencye11eea8microsoft: added DeviceAuthURL to AzureADEndpointd0e617cgoogle: add Credentials.UniverseDomainProvider3c9c1f6oauth2/google: fix the logic of sts 0 value of expires_in5a05c65oauth2/google: fix remove content-type header from idms get requests3a6776aappengine: drop obsolete code for AppEngine envs <=Go 1.11Updates
tailscale.comfrom 1.62.1 to 1.66.1Release notes
Sourced from tailscale.com's releases.
... (truncated)
Commits
88e23b6VERSION.txt: this is v1.66.1d77499ewgengine/router: print Docker warning when stateful filtering is enabledd904990util/linuxfw: fix table name in DelStatefulRuleb10ee74cmd/tailscale: add missing set flags for linux60d8965util/linuxfw: fix stateful packet filtering in nftables modee2a0fc0VERSION.txt: this is v1.66.08130656api.md: remove extraneous commas in json examples6f4a1dcipn/ipnlocal: fix another read of keyExpired outside mutexe968b0ecmd/tailscale,controlclient,ipnlocal: fix 'up', deflake tests moree5ef358ipn/ipnlocal: fix read of keyExpired outside mutexDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show