Announcement1.86.0
Tailscale v1.86.0
Version 1.86.0 introduces device posture checks for encrypted client state, automatic exit node selection across platforms, state encryption via TPM/Keychain, and multiple fixes for CSRF, proxy detection, system policies, and platform-specific issues. Note: This version was rolled back due to regressions on July 25 (macOS) and July 28 (all platforms).
Note: Tailscale halted the rollout of version 1.86.0 for macOS on July 25, 2025, and for all other platforms on July 28, 2025, due to multiple regressions.
All platforms- New:
tsStateEncrypteddevice posture attribute for checking whether the Tailscale client state is encrypted at rest. - Fixed: Cross-site request forgery (CSRF) issue that may have resulted in a log in error when accessing the web interface.
- Fixed: Hostnames are verified as expected when using CONNECT HTTPS proxy to connect to the control plane.
- Fixed: Recommended exit node when the previously recommended exit node is offline.
- New:
tailscale up --exit-node=auto:anyandtailscale set --exit-node=auto:anyCLI commands track the recommended exit node and automatically switches to it when available exit nodes or network conditions change. - New:
tailscaledCLI command flag--encrypt-stateencrypts the node state file on the disk using trusted platform module (TPM).
- New:
tailscale up --exit-node=auto:anyandtailscale set --exit-node=auto:anyCLI commands track the recommended exit node and automatically switches to it when available exit nodes or network conditions change. - New:
EncryptStatesystem policy enforces storing the node state file in encrypted format on disk using trusted platform module (TPM). - Changed: Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switch to it when available exit nodes or network conditions change.
- Fixed:
AlwaysOnsystem policy is enforced as expected. - Fixed: System tray icon display a notification when the selected exit node is unavailable.
- Fixed: Mullvad exit node picker hides after switching from a profile with Mullvad exit nodes to one without any exit nodes.
- Fixed: WDAP/PAC proxy detection on Windows 10 1607 and earlier to ensure successful connectivity when a proxy is required.
- New:
tailscale up --exit-node=auto:anyandtailscale set --exit-node=auto:anyCLI commands track the recommended exit node and automatically switches to it when available exit nodes or network conditions change. - New:
ReconnectAftersystem policy setting, which configures the maximum period of time between a user disconnecting Tailscale and the client automatically reconnecting. - New:
EncryptStatesystem policy enforces storing the node state file in the Keychain. The App Store variant of the client always uses the Keychain regardless of this setting. - New:
OnboardingFlowsystem policy enforces the suppression of the onboarding flow that displays when the client is installed. This replaces the deprecatedTailscaleOnboardingSeensystem policy. - New: Remove all accounts option in the Debug menu.
- Changed:
TailscaleOnboardingSeensystem policy is deprecated. Use the newOnboardingFlowsystem policy instead. - Changed: Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switch to it when available exit nodes or network conditions change.
- Fixed:
AlwaysOnsystem policy is enforced as expected. - Fixed: Shortcut action issues.
- Changed: Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switches to it when available exit nodes or network conditions change.
- Fixed: Reset keychain option issues.
- Fixed: Shortcut action issues.
- Fixed: Taildrop resending issues.
- Changed: Selecting Recommended from the exit node picker makes the Tailscale client track the recommended exit node and automatically switch to it when available exit nodes or network conditions change.
exit-nodessecurityencryptionsystem-policymulti-platformfixes
Source: original entry ↗