The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=raggi%2Fenvknobs-gso-gro 2025-09-18T08:59:46Z 2025-09-18T08:59:46Z Alex Chan alexc@tailscale.com 2025-09-11T12:11:41Z urn:sha1:cd153aa644dd861602e386e71df20a61733b56a8 Previously, seamless key renewal was an opt-in feature. Customers had to set a `seamless-key-renewal` node attribute in their policy file. This patch enables seamless key renewal by default for all clients. It includes a `disable-seamless-key-renewal` node attribute we can set in Control, so we can manage the rollout and disable the feature for clients with known bugs. This new attribute makes the feature opt-out. Updates tailscale/corp#31479 Signed-off-by: Alex Chan <alexc@tailscale.com> 2025-08-11T16:04:03Z Jordan Whited jordan@tailscale.com 2025-08-11T16:04:03Z urn:sha1:d122f0350e8efc4ee80b295829d447ff9d5ddb08 Peer Relay is dependent on crypto routing, therefore crypto routing is now mandatory. Updates tailscale/corp#20732 Updates tailscale/corp#31083 Signed-off-by: Jordan Whited <jordan@tailscale.com> 2025-01-26T18:49:11Z Brad Fitzpatrick bradfitz@tailscale.com 2025-01-26T18:23:38Z urn:sha1:e701fde6b389a4a69b4d33aace8969530b25de8d The AsDebugJSON method (used only for a LocalAPI debug call) always needed to be updated whenever a new controlknob was added. We had a test for it, which was nice, but it was a tedious step we don't need to do. Use reflect instead. Updates #14788 Change-Id: If59cd776920f3ce7c748f86ed2eddd9323039a0b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-01-25T00:16:22Z Brad Fitzpatrick bradfitz@tailscale.com 2025-01-24T21:09:21Z urn:sha1:1a7274fccb0617f6d0bc31a45d835b61a9d5c5b7 Updates #1909 Updates #12542 Updates tailscale/corp#26058 Change-Id: I3033d235ca49f9739fdf3deaf603eea4ec3e407e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-07-26T18:25:55Z Andrea Gottardo andrea@tailscale.com 2024-07-26T18:25:55Z urn:sha1:90be06bd5b79798fb0fdaa996750acceb96f831c Updates tailscale/tailscale#1634 This PR introduces a new `captive-portal-detected` Warnable which is set to an unhealthy state whenever a captive portal is detected on the local network, preventing Tailscale from connecting. ipn/ipnlocal: fix captive portal loop shutdown Change-Id: I7cafdbce68463a16260091bcec1741501a070c95 net/captivedetection: fix mutex misuse ipn/ipnlocal: ensure that we don't fail to start the timer Change-Id: I3e43fb19264d793e8707c5031c0898e48e3e7465 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Andrea Gottardo <andrea@gottardo.me> 2024-07-12T15:24:06Z Brad Fitzpatrick bradfitz@tailscale.com 2024-07-09T03:31:16Z urn:sha1:808b4139eec4f9ffcf8fc7a39b0519395efcc165 If we get an non-disco presumably-wireguard-encrypted UDP packet from an IP:port we don't recognize, rather than drop the packet, give it to WireGuard anyway and let WireGuard try to figure out who it's from and tell us. This uses the new hook added in https://github.com/tailscale/wireguard-go/pull/27 Updates tailscale/corp#20732 Change-Id: I5c61a40143810592f9efac6c12808a87f924ecf2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-07-07T02:50:53Z Brad Fitzpatrick bradfitz@tailscale.com 2024-07-07T02:29:58Z urn:sha1:d2fef01206cd7a96d684f9c69ba9e767de824ab4 The DERP Return Path Optimization (DRPO) is over four years old (and on by default for over two) and we haven't had problems, so time to remove the emergency shutoff code (controlknob) which we've never used. The controlknobs are only meant for new features, to mitigate risk. But we don't want to keep them forever, as they kinda pollute the code. Updates #150 Change-Id: If021bc8fd1b51006d8bddd1ffab639bb1abb0ad1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-06-14T19:41:50Z Nick Khyl nickk@tailscale.com 2024-06-11T03:05:15Z urn:sha1:c32efd9118bb8ba63ae5729653d1eaeeaad52149 Without this rule, Windows 8.1 and newer devices issue parallel DNS requests to DNS servers associated with all network adapters, even when "Override local DNS" is enabled and/or a Mullvad exit node is being used, resulting in DNS leaks. This also adds "disable-local-dns-override-via-nrpt" nodeAttr that can be used to disable the new behavior if needed. Fixes tailscale/corp#20718 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2024-06-06T22:19:33Z Andrea Gottardo andrea@tailscale.com 2024-06-06T22:19:33Z urn:sha1:b65221999ca2644e917efce394dc0c9603cfacb7 Updates corp#15802. Adds the ability for control to disable the recently added change that uses split DNS in more cases on iOS. This will allow us to disable the feature if it leads to regression in production. We plan to remove this knob once we've verified that the feature works properly. Signed-off-by: Andrea Gottardo <andrea@gottardo.me> 2024-05-06T22:29:24Z Nick Khyl nickk@tailscale.com 2024-05-02T23:33:13Z urn:sha1:f62e678df8e1d4a3fd3a41f8c847c6b0a3605ac8 Now that tsdial.Dialer.UserDial has been updated to honor the configured routes and dial external network addresses without going through Tailscale, while also being able to dial a node/subnet router on the tailnet, we can start using UserDial to forward DNS requests. This is primarily needed for DNS over TCP when forwarding requests to internal DNS servers, but we also update getKnownDoHClientForProvider to use it. Updates tailscale/corp#18725 Signed-off-by: Nick Khyl <nickk@tailscale.com>