Tailscale Backend
- A new "Shields Up" mode offers a simple complement to ACLs. When a machine has shields up, it can connect to other Tailscale nodes, but all incoming connections are blocked.
- The ACL subsystem supports specifying CIDR-style network prefixes as destinations. This makes it much simpler to create ACLs for subnet routers.
- Tailscale now functions correctly in IPv6-only environments (e.g. a VPS lacking IPv4 internet access). Connectivity to IPv4-only hosts is provided through DERP.
Linux
- Tailscale can make outbound connections through a SOCKS proxy, if such a proxy is specified in the
all_proxy
environment variable. - For advanced uses, system administrators can control the degree of automatic firewall configuration, with the
--netfilter-mode
flag totailscale up
. Setting this flag to "off" disables all management of netfilter. "nodivert" creates and manages Tailscale sub-chains, but leaves the calling of those chains up to the administrator. The default is "on", meaning full management of Tailscale's rules.- Note that if you set
--netfilter-mode
to "off" or "nodivert", it is your responsibility to configure the firewall securely for Tailscale traffic. We recommend using the rules installed by--netfilter-mode=on
as a starting point.
- Note that if you set
- It is now possible to disable source NAT on subnet route traffic, with the
--snat-subnet-routes=false
flag ontailscale up
. This allows destinations on subnets to see the Tailscale IP of the client, rather than that of the subnet router, but requires additional network configuration for return traffic. tailscale up
warns if--advertise-routes
is requested but IP forwarding is disabled on the system.- The routing and firewall rules configured by Tailscale are now compatible with a wider variety of systems.
- Subnet routing now works even in the presence of conflicting local routes (for example, being on the same LAN that another machine is advertising as a subnet route).
- Experimental: forwarding all traffic to a single other Tailscale node should now be possible, with
--advertise-routes=0.0.0.0/0
. Please file bugs if you encounter any. tailscale netcheck
supports--format=json
for machine-readable output (format not guaranteed to be stable), and--every=DURATION
for periodic probing of network conditions.
Windows
- The system tray icon now matches the Tailscale logo, and works across light and dark modes.
- A new "Shields up" checkbox. When a machine has shields up, it can connect to other Tailscale nodes, but all incoming connections are blocked.
- Reduced memory usage
macOS
- A new "Shields up" checkbox. When a machine has shields up, it can connect to other Tailscale nodes, but all incoming connections are blocked.
- Reduced memory usage
iOS
- Various stability and memory usage improvements.
A complete list of changes can be found here: v0.98.0...v0.99.0