The easiest, most secure way to use WireGuard and 2FA.



Private WireGuard® networks made easy


This repository contains all the open source Tailscale client code and the tailscaled daemon and tailscale CLI tool. The tailscaled daemon runs primarily on Linux; it also works to varying degrees on FreeBSD, OpenBSD, Darwin, and Windows.

The Android app is at


We serve packages for a variety of distros at .

Other clients

The macOS, iOS, and Windows clients use the code in this repository but additionally include small GUI wrappers that are not open source.


go install{,d}

If you're packaging Tailscale for distribution, use instead, to burn commit IDs and version info into the binaries:


If your distro has conventions that preclude the use of, please do the equivalent of what it does in your distro's way, so that bug reports contain useful version information.

We only guarantee to support the latest Go release and any Go beta or release candidate builds (currently Go 1.16) in module mode. It might work in earlier Go versions or in GOPATH mode, but we're making no effort to keep those working.


Please file any issues about this code or the hosted service on the issue tracker.


PRs welcome! But please file bugs. Commit messages should reference bugs.

We require Developer Certificate of Origin Signed-off-by lines in commits.

About Us

Tailscale is primarily developed by the people at For other contributors, see:


WireGuard is a registered trademark of Jason A. Donenfeld.

  • windows: wgengine.NewUserspaceEngine: InterfaceFromIndexEx() - interface with specified LUID not found

    windows: wgengine.NewUserspaceEngine: InterfaceFromIndexEx() - interface with specified LUID not found

    Describe the bug After installing Tailscale as a fresh installation on Windows the product will not function. On reboot the error message "Tailscale service is not running. safesocket.Connect dial tcp connectex: No connection could be made because the target actively refused it" is popped up.

    Obviously this implies the service is somehow not running or accepting connections. Service menu says that the service is actually running. Mousing over the GUI shows "Tailscale: Windows service is not running". Bringing up the context menu also says "Please restart the tailscale service" as the top option.

    Going into the services and restarting (and / or 'stopping' then 'starting') the Tailscale IPN has no visible effect on the GUI / function of Tailscale. Windows service status does indicate the service is stopping and starting again. No error messages appear during the start / stop of the service.

    Restarting the computer results in the same state, along with the message box popup relating to the failed TCP dial in the first ~10 - 15 seconds of logging in.

    To Reproduce Download latest installer from - In my case 0.99.0-0.

    Install with no error messages or visible issues.

    Attempt to login / connect / user Tailscale.

    Expected behavior Tailscale is functional.


    Version information:

    • Device: Desktop PC
    • OS: Windows
    • OS version: Windows 10 Pro - Version 2004 (OS Build 19041.330)
    • Tailscale version: 0.99.0-0

    Front logo Front conversations

    OS-windows L1 Very few P2 Aggravating T8 Crash 
    opened by 0x42424242 92
  • Tailscale Exit node breaks internet

    Tailscale Exit node breaks internet

    Searches bring up a couple of similar posts which require users to paste bug reports for resolution - so I'm jumping straight to that point.


      • Internet works fine before connecting to exit node
      • No internet functions work while exit node is selected
      • Internet immediately restored once disconnected from exit node

    I've got a really simple network - a macOS client and a Linux server:

    • macbook -
    • linux -

    Everything green in the admin panel, exit node selected and enabled there too.



    Thanks in advance!

    Front logo Front conversations

    L1 Very few P2 Aggravating T5 Usability exit-node 
    opened by atjbramley 65
  • tailscaled: get working on macOS with homebrew

    tailscaled: get working on macOS with homebrew

    We'd like to be able to distribute automated, unsigned DMG images of the latest macOS client.

    But unsigned means no NetworkExtension, which means we need to use cmd/tailscaled as the backend, with its utun device. WireGuard TUN supports that, but we don't have implementations of wgengine/router to do that.

    Ignoring the GUI glue, I can log in to tailscaled on a Mac:

    $ sudo mkdir -p /Library/tailscaled
    $ sudo tailscaled --state=/Library/tailscaled/tailscaled.state --tun=utun4

    ... and then tailscale up as a regular user to get my login URL & add the machine.

    And then I see it form the mesh and do the handshakes, but I don't have routes.

    I tried to:

    sudo route add -host -interface utun4

    But doesn't seem to work:

    $ ping
    PING ( 56 data bytes
    ping: sendto: Device not configured
    ping: sendto: Device not configured
    Request timeout for icmp_seq 0
    ping: sendto: Device not configured
    Request timeout for icmp_seq 1
    ping: sendto: Device not configured
    Request timeout for icmp_seq 2
    ping: sendto: Device not configured
    Request timeout for icmp_seq 3

    I don't know enough about macOS networking to do this quickly, so I'm at least writing down what I tried & where I got.

    enhancement good first issue help wanted OS-macos L3 Some users P5 Halts deployment T0 New feature 
    opened by bradfitz 60
  • Package for pfSense to utilize Tailscale

    Package for pfSense to utilize Tailscale

    Was asked to open this Bug report by BradFitz

    Describe the bug Create Package for use on OPNsense and PFsense systems. Also to allow bridging connections within the application

    To Reproduce Steps to reproduce the behavior: No errors

    Expected behavior Currently a similar software called Zerotier has a package for OPNsense that allows the router to be a member of the network. Also advanced configuration exists to allow bridging the LAN network with the Zerotier network. Would like a similar solution with Tailscale.

    Version information: Latest builds for both systems

    Additional context No additional context

    Front logo Front conversations

    opened by mspencerl87 58
  • Let users add/replace DERP servers for their network

    Let users add/replace DERP servers for their network

    Tailscale (the company) runs DERP relays around the world, such that there's always one near users, but various users/organizations have requested the ability to modify the DERP map for their network, either:

    • augmenting our DERP map with DERP nodes that they run (using the open source server)
    • removing certain DERP servers from our set (e.g. remove some in certain countries, for regulatory reasons), including removing all but certain geos
    • some combination of both: like removing all ours, and only using the ones the user supplied.

    An easy way to this is to add some fields to the ACL JSON object (which we could rebrand as the "tailnet policy config" or "Tailnet ACL and policy config").

    (We've discussed this in various forums, but creating this public tracking bug)

    L1 Very few P2 Aggravating T3 Performance/Debugging 
    opened by bradfitz 57
  • Windows: taskbar displays

    Windows: taskbar displays "Please restart the Tailscale Windows Service"

    I upgraded from Windows 10 to Windows 11 Insider Preview, version 21H2 build 22000.51.

    Hovering over the taskbar icon, I see "Tailscale: Windows service not running". On right-click I see "Please restart the Tailscale Windows Service". The Services console shows the service is running. Restarting the service there doesn't change anything. Reboots don't help either.

    I tried reinstalling Tailscale 1.10.0 (stable) and 1.11.24 (unstable).

    Please let me know if you need any other info.

    Front logo Front conversations

    OS-windows L3 Some users P3 Can't get started T6 Major usability 
    opened by 33b5e5 51
  • macOS & iOS doesn't use DNS set in the admin panel

    macOS & iOS doesn't use DNS set in the admin panel

    Describe the bug On macOS dns resolution order doesn't get prioritized with the dns in the admin panel which means it's essentially ignored.

    To Reproduce Steps to reproduce the behavior:

    1. Set the DNS in the admin panel
    2. scutil --dns should show the config in the scoped queries
    3. ping or resolve a host where the dns would have a different ip ie. using an internal VPC dns in aws to get the internal ip vs the external ip.
    4. You'll see the public ip returned not the internal ip. nslookup with the admin dns resolves to the internal ip correctly

    Expected behavior I'd expect the dns set in the admin to take priority with the vpn is connected, or at least an option per client to decide

    Version information:  - Device: macbook pro  - OS: macOS  - OS version: 10.14.6  - Tailscale version: App version: 0.95.208

    Additional context I currently have a very specific hardcoded example that works as a work around at it listens to the up/down of the interfaces and adds resolvers for specific domains to be used.

    ┆Issue is synchronized with this Asana task by Unito

    OS-macos OS-ios L4 Most users P5 Halts deployment T6 Major usability 
    opened by josmo 51
  • MagicDNS seems broken on Android with v1.8.3

    MagicDNS seems broken on Android with v1.8.3

    General DNS resolution works but requests are routed to the DHCP announced nameservers. My account has MagicDNS enabled and has an internal nameserver (using a 100.x.x.x address). My other devices work find (none of them are Android).

    I'm not sure how to provide more detailed information...

    Front logo Front conversations

    OS-android L2 Few P3 Can't get started T6 Major usability dns 
    opened by fd 49
  • openwrt package

    openwrt package

    User reports say that tailscale works on openwrt with the static arm binary. The only extra step that's required is opkg install kmod-tun.

    (This is complicated by the fact that there's more than one flavor of openwrt.)

    Front logo Front conversations

    help wanted packaging L3 Some users P3 Can't get started T6 Major usability 
    opened by crawshaw 47
  • Update OS firewall settings to allow incoming Tailscale

    Update OS firewall settings to allow incoming Tailscale

    We get various bug reports from macOS and Windows users who find that the OS firewall is blocking connections to their Tailscale IP.

    One user:

    Figured it out, MacOS Firewall was set to 'Block All Incoming Connections'

    Another user:

    I am able to ping and ssh both ways when I disable windows firewall, but cannot with windows firewall on. I haven’t seen any documents related to what settings might need to be altered in the firewall to allow this to work, actually the whitepaper suggests nothing should have to happen.

    And on the front page of we say:

    Even when separated by firewalls or subnets, Tailscale just works.

    That text is referring to gateway/router firewalls, not OS firewalls, but it's confusing/misleading in any case.

    We should be able to update the OS firewall settings on macOS and Windows to allow incoming connections to the user's Tailscale IP from other Tailscale IPs. (The "Shields Up" feature will then be the real firewall)

    I'm in favor of doing this unilaterally, but perhaps it'd need to be an option. But at least we could make it prominent when they're toggling Shields Up, warning them that their OS is going to interfere with their choice and "Would you like Tailscale to fix it? [ Yes ] [ No ]", etc.

    /cc @apenwarr @danderson @dfcarney @crawshaw

    (I previously filed this as tailscale/corp#183, meant as a meta bug, but it was closed when a more specific case was fixed)

    connectivity OS-windows OS-macos L3 Some users P2 Aggravating T5 Usability 
    opened by bradfitz 44
  • Support running in containers (Serverless)

    Support running in containers (Serverless)

    We have minimal support for containers, in that a Dockerfile exists. However, that Dockerfile doesn't embed correct version numbers, doesn't support authkey enrollment, and we have the same problem that Kubernetes had with incompatible host vs. container iptables. As such, we don't currently publish official images anywhere.

    This is a tracking bug to make the container image good enough that we can support it as an official platform.

    infrastructure OS-kubernetes L3 Some users P3 Can't get started T6 Major usability on-hold containers 
    opened by danderson 40
  • tsnet: use one zstd encoder for all Servers

    tsnet: use one zstd encoder for all Servers

    When a Server is destroyed we run into with ever-increasing memory footprint from the zstd encoder structures.

    From that issue: "Since you are just using EncodeAll you can use a single instance for all files. This is safe and allows for concurrent compression."


    Signed-off-by: Denton Gentry [email protected]

    opened by DentonGentry 0
  • cmd/tailscaled, util/winutil: log Windows service diagnostics when th…

    cmd/tailscaled, util/winutil: log Windows service diagnostics when th…

    …e wintun device fails to install

    I added new functions to winutil to obtain the state of a service and all its depedencies, serialize them to JSON, and write them to a Logf.

    When tstun.New returns a wrapped ERROR_DEVICE_NOT_AVAILABLE, we know that wintun installation failed. We then log the service graph rooted at "NetSetupSvc". We are interested in that specific service because network devices will not install if that service is not running.


    Signed-off-by: Aaron Klotz [email protected]

    Here is sample output:

    State of service "NetSetupSvc" and its dependencies:
        "serviceName": "NetSetupSvc",
        "serviceType": "WIN32",
        "state": "RUNNING",
        "startupType": "DEMAND_START",
        "triggers": [
            "triggerType": 7,
            "action": 1,
            "triggerSubtype": "{2D7A2816-0C5E-45FC-9CE7-570E5ECDE9C9}",
            "dataItems": [
                "dataType": 1,
                "data": "7508bca3230a8f12"
            "triggerType": 7,
            "action": 1,
            "triggerSubtype": "{2D7A2816-0C5E-45FC-9CE7-570E5ECDE9C9}",
            "dataItems": [
                "dataType": 1,
                "data": "7510bca3230a8f12"
            "triggerType": 6,
            "action": 1,
            "triggerSubtype": "{BC90D167-9470-4139-A9BA-BE0BBBF5B74D}",
            "dataItems": [
                "dataType": 2,
                "data": "610031003100310066003100630035002d0035003900320033002d0034003700630030002d0039006100360038002d006400300062006100660062003500370037003900300031000000"
        "serviceName": "RpcSs",
        "serviceType": "WIN32",
        "state": "RUNNING",
        "startupType": "AUTO_START"
        "serviceName": "RpcEptMapper",
        "serviceType": "WIN32",
        "state": "RUNNING",
        "startupType": "AUTO_START"
        "serviceName": "DcomLaunch",
        "serviceType": "WIN32",
        "state": "RUNNING",
        "startupType": "AUTO_START"
    opened by dblohm7 0
  • control/controlclient: stop restarting map polls on health change

    control/controlclient: stop restarting map polls on health change

    At some point we started restarting map polls on health change, but we don't remember why. Maybe it was a desperate workaround for something. I'm not sure it ever worked.

    Rather than have a haunted graveyard, remove it.

    In its place, though, and somewhat as a safety backup, send those updates over the HTTP/2 noise channel if we have one open. Then if there was a reason that a map poll restart would help we could do it server-side. But mostly we can gather error stats and show machine-level health info for debugging.

    opened by bradfitz 0
  • ssh: Tailscale SSH's sftp server ignores permission bits in new files

    ssh: Tailscale SSH's sftp server ignores permission bits in new files

    As reported by @migueldeicaza, Tailscale SSH's sftp server ignores permission bits when creating a new file.

    He writes:

    I am using the sftp API from libssh2, and this is the mode that i pass to write the executable:


    I initially failed to reproduce it because the sftp CLI tool seems to work, but that (I believe) does a Open+Write+Close followed by a Chmod (in put -p mode) rather than setting the permissions on the open-for-write.

    Looking at the sftp code we use,

    ... it seems to never set the osFlags permission bits.

    And sshFxpOpenPacket.Flags even has an // ignored comment:

    So maybe it's as easy as fleshing that out to not ignore those bits.

    /cc @maisem

    opened by bradfitz 0
  • hostinfo, tailcfg, util/linuxfw: add Linux firewall information

    hostinfo, tailcfg, util/linuxfw: add Linux firewall information

    This package is an initial implementation of something that can read netfilter and iptables rules from the Linux kernel without needing to shell out to an external utility; it speaks directly to the kernel using syscalls and parses the data returned.

    Currently this is read-only since it only knows how to parse a subset of the available data.

    Signed-off-by: Andrew Dunham [email protected]

    opened by andrew-d 2
  • logtail: always record timestamps in UTC

    logtail: always record timestamps in UTC

    Upstream optimizations to the Go time package will make unmarshaling of time.Time 3-6x faster. See:


    The last optimization avoids a []byte -> string allocation if the timestamp string less than than 32B. Unfortunately, the presence of a timezone breaks that optimization. Drop recording of timezone as this is non-essential information.

    Most of the performance gains is upon unmarshal, but there is also a slight performance benefit to not marshaling the timezone as well.

    Signed-off-by: Joe Tsai [email protected]

    opened by dsnet 3
  • v1.30.2(Sep 16, 2022)

  • v1.30.1(Sep 8, 2022)


    • fix exit-nodes in --tun=userspace-networking mode with no IPv6 connectivity to not break Chrome 104+
    • fix SIGINT when running in a container without job control
    Source code(tar.gz)
    Source code(zip)
  • v1.30.0(Aug 31, 2022)

    All Platforms

    • delete node immediately if tailscaled exits and was using mem: state storage
    • report whether a subnet router is running in userspace-networking or kernel mode.
    • send Tailscale client version number in ACME requests (to LetsEncrypt, for example)
    • add a timeout when writing to BIRD socket
    • use DNS-over-HTTPS for Mullvad DNS servers
    • add tailscale licenses with link to open source licenses
    • clients can use Noise with any HTTPS port with capver 39 (mainly for Headscale)
    • will respond with SERVFAIL if there are no upstream resolvers
    • tsnet ephemeral nodes will delete themselves on Close()
    • report whether host kernel supports IPv6
    • misc performance optimizations, smaller bug fixes


    • gracefully handle restarts in systemd-resolved support


    • notice when group policy entries change and move our NRPT rules between the local and group policy subkeys as needed
    • avoid 2.3 second DNS lookup delay when Smart Name Resolution is enabled by adding MagicDNS names to hosts file
    • disable NetBIOS nameservice on Tailscale intefaces
    • update Proxy support
    • add native ARM build for backend Tailscale service (only in NSIS installer in this release)


    • report variant (App Store, macSys) in the About box


    • fix potential crash in notification handling
    • fix dismissing of error indication if a bugreport fails


    • Fix Google Stadia, Android Auto, GoPro, and Messages RCS with the VPN active.
    • Allow coordination server URL to be set. Click the Authentication menu three times quickly to enable.


    • fix /dev/net permissions in tailscale configure-host


    • support functioning as a subnet router or exit node using hybrid netstack mode


    • accommodate shared nodes in nginx-auth
    • fix race in derper (Custom DERP servers) with manual certificates.
    Source code(tar.gz)
    Source code(zip)
  • v1.28.0(Jul 18, 2022)

    All Platforms

    • MagicDNS recursive resolution now returns SERVFAIL if all upstream resolvers fail
    • fix tailscale ping -c N to properly exit after N ping requests even if there are timeouts
    • portmapper: send discovery packet for IGD specifically, some routers don't respond to ssdp:all
    • add ExitNodeStatus to tailscale status --json


    • implement specific DNS support for AWS, Google Cloud, and Azure to add internal split DNS domain & fallback DNS


    • set registry values to not send DNS changes concerning our interface to AD domain controllers
    • update Windows split DNS settings to work alongside other NRPT entries set by group policy
    • suppress nonfunctional link-local IPv6 addresses on Tailscale interface, Powershell ping (hostname) now works correctly
    • set AllowSameVersionUpgrades attribute on MajorUpgrade tag in Windows MSI script


    • Use one large route entry if there are no other interfaces using CGNAT, to avoid Network Changed errors in browsers where possible


    • the minimum iOS version is now iOS 15, which makes substantially more memory available (the App Store will offer Tailscale 1.26.2 for iOS 13 and 14 devices)
    • add portmapper support for NAT-PMP, PCP, UPnP
    • add MagicDNS support for TCP


    • Android can now be an exit node (previously available but hidden)
    Source code(tar.gz)
    Source code(zip)
  • v1.26.2(Jul 5, 2022)

    All Platforms

    • fix tailscaled being able to restart while mosh-server is running from an SSH session
    • make tailscale up --operator="" clear a previously set operator


    • fix Tailscale SSH support with Arch Linux


    • make ssh command prefer Windows ssh.exe over PATH


    • limit SSH login to 16 groups


    • try harder to notify for SSH check mode
    Source code(tar.gz)
    Source code(zip)
  • v1.26.1(Jun 18, 2022)

  • v1.26.0(Jun 6, 2022)

    All Platforms

    • Added tailscale ping --peerapi <peer> to check connectivity to a peer using the PeerAPI.
    • package refactored w/ LocalClient type
    • allow LoginInteractive via LocalAPI
    • MagicDNS supports DNS/TCP and handling IP fragmented UDP frames
    • add an overall 10 second timeout for recursive MagicDNS queries
    • add Wake-on-LAN function to PeerAPI (no UI for it yet)
    • change MagicDNS "via route" DNS names from "via-SITEID." to "". The old format will continue to work for a release or two.
    • configured MTU is now consistent between TUN device and userspace device.
    • Added --timeout <duration> flag to tailscale up to enforce a maximum amount of time to wait for the Tailscale service to initialize


    • fix MagicDNS lookup of own hostname
    • fix handling of >50 Split DNS domains
    • resolve one source of shutdown delay (may still be more)
    • add TS_NOLAUNCH property to allow admins to deploy silent MSI installs without automatically starting the GUI: msiexec /quiet filename.msi TS_NOLAUNCH=1


    • Tailscaled-on-macOS now supports MagicDNS (including Split DNS)
    • Initial release of a standalone macOS client, which is independent of the App Store, in the stable track


    • add bug report UI


    • Allow the NAS disks to hibernate by moving telemetry buffering to tmpfs
    • Fix HTTP proxy handling
    Source code(tar.gz)
    Source code(zip)
  • v1.24.2(Apr 28, 2022)

    All platforms

    • fix handling of HTTP proxies in certain circumstances
    • fix another issue where the new control plane protocol could fail to make a connection to our servers (#4557)


    • additional fix in handling of HTTP proxies
    Source code(tar.gz)
    Source code(zip)
  • v1.24.1(Apr 27, 2022)

    All Platforms

    • fix two issues where the new control plane protocol could fail to make a connection to our servers (,
    • set TCP keep-alives in userspace-networking subnet router to avoid connection leaks (
    • avoid using the LTE radio after transition to Wi-Fi
    Source code(tar.gz)
    Source code(zip)
  • v1.24.0(Apr 22, 2022)

    All Platforms

    • improve netstack performance via better GC tuning
    • Initial support for site-relative IPv4 addressing using IPv6
    • MagicDNS: PTR records for TS service IPs
    • First for-keepsies deployment of ts2021 protocol
    • build with Go 1.18
    • tsnet now supports providing a custom ipn.StateStore.


    • taildrop: add file get --loop
    • taildrop: add file get --conflict=(skip|overwrite|rename)
    • default to userspace-networking mode on gokrazy
    • set tailscale0 link speed to UNKNOWN, not 1Gbps.
    • Attempt to load the xt_mark kernel module when it is not present.


    • improve HTTPS proxy handling
    • fix naming in MSI installer


    • fix CLI in macSys build
    • make quit on termination more reliable, helps with restart after upgrade


    • make quit on termination more reliable, helps with restart after upgrade


    • add Android TV support
    • fix and reintroduce Talkback support


    • improve HTTPS proxy handling


    • fix portmapping support
    Source code(tar.gz)
    Source code(zip)
  • v1.22.2(Mar 18, 2022)

  • v1.22.1(Mar 9, 2022)


    • better operation with gokrazy
    • Fix portmapping on FreeBSD
    • In userspace-networking mode, always close SOCKS proxied connections
    • Fix a Windows NSIS installer bug when upgrading
    • Fix macOS GUI "Must restart" dialog in some cases
    Source code(tar.gz)
    Source code(zip)
  • v1.22.0(Feb 23, 2022)

    All Platforms

    • New: DERP Return Path Optimization (DRPO), allows a pair of nodes in different DERP regions to connect more quickly by only requiring one side to connect to the other, cutting down some DERP setup latency
    • New: tailscaled --state=mem: registers as an ephemeral node and does not store state to disk
    • New: tailscale status --json now shows Tags and PrimaryRoutes for Peers. PrimaryRoutes shows whether a HA subnet router is currently the active one.
    • New: tailscale status --json | jq .TailnetName will show the name of the tailnet
    • New: the optional tailscaled debug server's Prometheus metrics exporter now also includes Go runtime metrics
    • New: tailscaled supports a new TS_PERMIT_CERT_UID environment variable containing either a userid or username to allow to fetch Tailscale TLS certificates for the node. This environment variable can be set in /etc/default/tailscaled to permit non-root web servers on the local machine to fetch certs from tailscaled.
    • Fixed: send heartbeats less often, saving some battery, matching 1.20 change on mobile platforms.
    • Changed: --auth-key and --authkey both work as tailscale up arguments


    • New: MSI installer
    • Fixed: Reject SIDs from deleted/invalid security principals to avoid failed to look up user from userid error


    • Fixed: More robust detection of systemd-resolved
    • Fixed: Efficiently parse extremely large /proc/net/route files
    • Fixed: Be more helpful in suggesting tailscale --operator=USER to use with Taildrop
    • Fixed: some broken host DNS configurations are now detected and reported in tailscale status


    • Changed: Add /var/packages/Tailscale/target/bin/tailscale configure-host to restore needed permissions. We recommend adding this as a scheduled task at boot.
    Source code(tar.gz)
    Source code(zip)
  • v1.20.4(Feb 9, 2022)

    • Fix DNS lookups via an exit node in many cases
    • fix Openresolv /etc/resolv.conf handling
    • better handle extremely large /proc/net/route files for very large routers
    • fix BGP advertisement with subnet router failover
    Source code(tar.gz)
    Source code(zip)
  • v1.20.3(Jan 26, 2022)

  • v1.20.2(Jan 21, 2022)

    • Fix, memory footprint growth in userspace-networking mode
    • Fix, userspace-networking will accept a TCP SYN with ECN bits set
    • Fix saving resolver list for OpenBSD
    Source code(tar.gz)
    Source code(zip)
  • v1.20.1(Jan 14, 2022)

  • v1.20.0(Jan 13, 2022)

    All Platforms

    • New: When using an exit node, DNS queries will be forwarded to the exit node for resolution
    • New: tailscaled now allows running the outgoing SOCKS5 and HTTP proxies on the same port.
    • New: SOCKS5/HTTP proxies now allow connecting via subnet routers & exit nodes when run in userspace-networking mode
    • New: More debug metrics available
    • New: tailscale ip -1 flag
    • New: CLI now lets you select exit node by name
    • New: CLI now shows you which nodes are offering exit nodes
    • New: CLI now refuses to let you pick an invalid exit node (when connected)
    • New: Packet filter now supports matching any IP protocol number when enabled in ACLs (previously only TCP, UDP, ICMP and SCTP)
    • New: Added Online boolean to tailscale status --json, made tailscale status show offline nodes
    • New: Added tailscale up --json
    • Fixed: MagicDNS now works over IPv6 when CGNAT IPv4 is disabled using DisableIPv4: true in ACL
    • Fixed: choose a new DERP if the current DERP is removed from the DERPmap
    • Fixed: bug fixes, cleanups, log spam reduction


    • Changed: tailscale file cp sends via the local tailscaled now, so it now supports tailscaled running in tun-free, userspace-networking mode (such as on Synology DSM7 unless you enable TUN mode)


    • New: GUI support for running an exit node


    • New: GUI support for running an exit node


    • Changed: Send heartbeats less often, to conserve battery


    • New: Talkback support
    • New: Menu selection to generate a bug report
    • New: "Allow LAN Access" checkbox in Exit Node menu
    • Changed: Send heartbeats less often, to conserve battery
    • Changed: implement DNS config reporting, no longer require fallback DNS to be configured in admin panel
    • Fixed: Report in the UI when connectivity is lost; this functionality was present but broken in prior releases


    • Fixed: Now supports running in a jail (if devd isn't available, it falls back to network status polling mode)
    Source code(tar.gz)
    Source code(zip)
  • v1.18.2(Dec 16, 2021)


    All Platforms

    • make exit node selection take effect (almost) immediately
    • permit protocols other than TCP+UDP if ACL allows *


    • in DNS DirectManager, allow comments at the end of a line
    • don't get stuck waiting for systemd-resolved if we mis-estimated the DNS manager


    • Send & receive Taildrop files. To receive, create a shared folder named "Taildrop" and in Permissions, give the System user tailscale read/write access, then restart Tailscale
    Source code(tar.gz)
    Source code(zip)
  • v1.18.1(Nov 26, 2021)

    • Linux-only release to fix some regressions on some kernel configs related to our direct use of netlink rather than using the ip command to program routes and policy routing.
    Source code(tar.gz)
    Source code(zip)
  • v1.18.0(Nov 18, 2021)

    Platform independent

    • Improve UPnP discovery; eero devices now work, allowing a port to be opened for direct connections (also in 1.16.2)
    • If unable to upload telemetry, limit amount buffered to 50MB
    • Retry more transient DNS errors, instead of passing the failure back to the client
    • fix state machine transition regarding expired key extension
    • the tailscaled debug server now exports Prometheus metrics at /debug/metrics


    • Support storing Tailscale state using AWS SSM (ex: tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo) (thank you Maxime VISONNEAU)
    • use AF_NETLINK messages to configure IP, not the ip command. Set TS_DEBUG_USE_IP_COMMAND environment variable to revert to use of /sbin/ip if this breaks your device.
    • if resolvconf wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not resolvconf
    • if NetworkManager wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not NetworkManager
    • handle /etc/resolv.conf being a bind mount into a container, such that we cannot rename() it.
    • work around Ubuntu 18.04 setLinkDomain length limit by omitting reverse lookup information
    • make /etc/resolv.conf parse to the end of the comment section, not use the first match it finds


    • on iOS 15+, where Network Extensions have more memory available, allow the same number of DNS-over-HTTPS requests in flight as other platforms


    • only use AmbientCaps on DSM7+
    • add an exit node enable checkbox in the web login form
    Source code(tar.gz)
    Source code(zip)
  • v1.16.2(Oct 29, 2021)

    • Fix UPnP discovery for certain Wi-Fi routers, notably eero
    • Limit log buffer size on disk, for example if uploads are blocked
    Source code(tar.gz)
    Source code(zip)
  • v1.16.1(Oct 20, 2021)

    General improvements

    • Resolve connectivity issue where a DISCO key was assumed to map to one node when in reality it could be any of several nodes.

    Platform specific



    • don't try to delete legacy netfilter rules, they don't exist on Synology
    • only use AmbientCaps on DSM7+
    Source code(tar.gz)
    Source code(zip)
  • v1.16.0(Oct 7, 2021)

    All Platforms

    • Support storage of node state as a Kubernetes secret.
    • tailscale up --authkey=file:/path/to/secret support
    • tailscale up --qr for QR codes
    • tailscaled in userspace-networking mode can now run an HTTP proxy server (in addition to the prior SOCKS5 proxy server support)
    • no longer need the while tailscale up; do sleep 0.1; done loops in Docker startup scripts.
    • CPU/memory profiling support in tailscale debug
    • bake in LetsEncrypt's ISRG Root X1 root (also in 1.14.6)


    • Support containers with !CAP_NET_RAW and !CAP_NET_ADMIN (like CircleCI runners)
    • service (portlist) scanning optimized; uses much less CPU on busy servers


    • Move state to C:\ProgramData (also in 1.14.4)


    • Fix super rare Wireguard packet loop network flood when using a DNS server behind a subnet router, when a macOS device resumes from sleep and the network changes (also iOS, but triggers less there). Fixes #1526 (also in 1.14.6)


    • Turn the radio on less often to improve battery performance


    • support Taildrop on older Android releases
    • Turn the radio on less often to improve battery performance
    Source code(tar.gz)
    Source code(zip)
  • v1.14.6(Oct 1, 2021)

    • include LetsEncrypt's ISRG Root X1 root as an alternate to try if the platform roots fail
    • if tailscale cert fails because it needs to be run as root, say so.
    • avoid looping packets in tstun, believed to fix #1526
    • allows SOCKS5 proxy for --tun=userspace-networking to dial the HTTPS domain name of the Tailnet
    • ensure state directory is set to perm 0700.
    • ignore ipsec link monitor events for iOS, avoid waking the system
    Source code(tar.gz)
    Source code(zip)
  • v1.14.5(Oct 1, 2021)

  • v1.14.4(Sep 24, 2021)


    • move state files from C:\Windows to C:\ProgramData, to better handle Windows Updates


    • fix segfaults shortly after starting (,)
    Source code(tar.gz)
    Source code(zip)
  • v1.14.3(Sep 17, 2021)

    • tailscale up will wait for the socket to tailscaled to be created, not exit with an error. It should no longer be necessary to run it in a loop.
    • fix default route lookup on Windows; fixes #2707
    • fix crash in TCP forwarding with userspace-networking #2658

    Note: v1.14.1 and v1.14.2 were never released.

    Source code(tar.gz)
    Source code(zip)
  • v1.14.0(Aug 23, 2021)

    All Platforms

    • Improved Portmapping to ask a firewall to open a port:
      • NAT-PMP has been implemented for some time.
      • This release adds support for Port Control Protocol response to NAT-PMP, which some firewalls send.
      • If neither NAT-PMP nor PCP is present, fall back to Universal Plug and Play Internet Gateway Device support.
      • The net effect is that 1.14 is substantially more likely to make a direct connection from residential/SMB environments, and not need to use a DERP Relay. Enabling NAT-PMP/UPnP support in the router will enable this.
    • Allow access to local VMs and Docker Containers while using an exit node.
    • The tailscaled daemon continues to log less (an ongoing effort each release)


    • Update to wintun 0.13.


    • FreeBSD can now function as an exit node.
    Source code(tar.gz)
    Source code(zip)
  • v1.12.4(Aug 23, 2021)

Tailscale is a WireGuard-based app that makes secure, private networks easy for teams of any scale.
This small Docker project is the easiest way to send notifications directly via .txt files to services like: Gotify, Telegram, SMTP (Email) or Webhook.

This small Docker project is the easiest way to send notifications directly via .txt files to services like: Gotify, Telegram, SMTP (Email) or Webhook.

echGo 5 Jul 10, 2022
Our aim is to expand the capabilities of blockchain and make a secure way for transferring NFT between RMRK and MOVR blockchain.

remov Inspiration Our aim is to expand the capabilities of blockchain and make a secure way for transferring NFT between RMRK and MOVR blockchain. The

RMRK Team 3 Jul 25, 2022
A Wireguard VPN Server Manager and API to add and remove clients

Wireguard Manager And API A manager and API to add, remove clients as well as other features such as an auto reapplier which deletes and adds back a c

null 138 Sep 22, 2022
A fork of the simple WireGuard VPN server GUI community maintained

Subspace - A simple WireGuard VPN server GUI Subspace - A simple WireGuard VPN server GUI Slack Screenshots Features Contributing Setup 1. Get a serve

null 1.7k Sep 25, 2022
A flexible configuration manager for Wireguard networks

Drago A flexible configuration manager for WireGuard networks Drago is a flexible configuration manager for WireGuard networks which is designed to ma

Seashell 982 Sep 25, 2022
Simple Web based configuration generator for WireGuard. Demo:

Wg Gen Web Simple Web based configuration generator for WireGuard. Why another one ? All WireGuard UI implementations are trying to manage the service

vx3r 1k Sep 27, 2022
Connect your devices into a single private WireGuard®-based mesh network.

Wiretrustee A WireGuard®-based mesh network that connects your devices into a single private network. Why using Wiretrustee? Connect multiple devices

null 3.4k Sep 28, 2022
An userspace SORACOM Arc client powered by wireguard-go

soratun An easy-to-use, userspace SORACOM Arc client powered by wireguard-go. For deploying and scaling Linux servers/Raspberry Pi devices working wit

Soracom, Inc. 6 Jun 2, 2022
Layer2 version of wireguard with Floyd Warshall implement in go.

Etherguard 中文版README A Full Mesh Layer2 VPN based on wireguard-go OSPF can find best route based on it's cost. But sometimes the lentancy are differen

日下部 詩 45 Sep 18, 2022
Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface

wg-ovpn Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface Warning: really ugly and unstable code! Building Obtain latest so

Patrycja 6 Jan 18, 2022
Mount your podman container into WireGuard networks on spawn

wg-pod A tool to quickly join your podman container/pod into a WireGuard network. Explanation wg-pod wires up the tools ip,route,wg and podman. It cre

Maximilian Ehlers 13 Aug 14, 2022
Go Implementation of WireGuard

Go Implementation of WireGuard

WireGuard 1.5k Sep 29, 2022
A HTTP proxy server tunnelling through wireguard

wg-http-proxy This project hacks together the excellent and into an HTTP proxy s

Sebastian Himberger 13 Sep 25, 2022
NAT puncher for Wireguard mesh networking.

natpunch-go This is a NAT hole punching tool designed for creating Wireguard mesh networks. It was inspired by Tailscale and informed by this example.

Malcolm Seyd 106 Sep 9, 2022
generate Wireguard keypairs with a given prefix string

wireguard-vanity-address Generate Wireguard keypairs with a given prefix string. The Wireguard VPN uses Curve25519 keypairs, and displays the Base64-e

yinheli 2 Mar 19, 2022
udppunch hole for wireguard

udppunch udp punch for wireguard, inspired by natpunch-go usage server side ./punch-server-linux-amd64 -port 19993 client side make sure wireguard is

yinheli 116 Sep 23, 2022
Use Consul to do service discovery, use gRPC +kafka to do message produce and consume. Use redis to store result.

目录 gRPC/consul/kafka简介 gRPC+kafka的Demo gRPC+kafka整体示意图 限流器 基于redis计数器生成唯一ID kafka生产消费 kafka生产消费示意图 本文kafka生产消费过程 基于pprof的性能分析Demo 使用pprof统计CPU/HEAP数据的

null 43 Jul 9, 2022
A repository for the X-Team community to collaborate and learn solutions to most coding challenges to help prepare for their interviews.

Community Coding Challenge Handbook This repository focuses on helping X-Teamers and community members to thrive through coding challenges offering so

X-Team 121 Sep 6, 2022