megachangelog
Feature1.94.1

Tailscale v1.94.1

Tailscale v1.94.1 introduces new client metrics for DERP regions and peer relays, automatic identity token generation for workload identities, and tsnet support for hosting Tailscale Services. It includes multiple fixes across platforms including DNS resolution on Linux, security vulnerability fixes on macOS, and improved relay throughput optimizations.

Note: 1.94.0 was a release candidate intended for testing only.

All Platforms Linux
  • New: Custom DERP servers support Google Cloud Platform (GCP) Certificate Manager.
  • New: Tailscale SSH authentication, when successful, results in LOGIN audit messages being sent to the kernel audit subsystem.
  • Changed: Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket option is supported on multi-core systems.
  • Fixed: Tailscale Peer Relay server handshake transmission is guarded against routing loops over Tailscale.
  • Fixed: MagicDNS always resolves when using resolve.conf without a DNS manager.
macOS
  • New: AuthBrowser.macos system policy sets a preferred browser for opening automatic authentication URLs.
  • New: HideDockIcon system policy determines if the Tailscale Dock icon persists after all Tailscale windows close.
  • New: Install and automatically update to release candidate versions of the client in the About section, Release Channel drop-down.
  • Fixed: DNS related health warnings no longer display when Tailscale DNS is disabled.
  • Fixed: tssentinelId command injection vulnerability has been removed. This fix addresses a security vulnerability described in TS-2026-001.
  • Fixed: Ping view is Tailscale Peer Relay aware.
iOS tvOS
  • New: Use Tailscale Subnets toggle is added in Subnet Routing Settings.
  • Fixed: Ping view is Tailscale Peer Relay aware.
Android
peer-relaymetricsworkload-identitysecurityperformancemacoslinux

Source: original entry ↗