The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=awly%2Fdeadcode-deb 2026-04-17T11:19:50Z 2026-04-17T11:19:50Z Brad Fitzpatrick bradfitz@tailscale.com 2026-04-17T04:21:29Z urn:sha1:00a08ea86de27192a6fe2349ff1bf080b7f23f6f Updates #12542 Updates tailscale/corp#40088 Change-Id: Idb4526f1bf1f3f424d6fb3d7e34ebe89a474b57b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2026-04-17T03:00:25Z Brad Fitzpatrick bradfitz@tailscale.com 2026-04-16T21:15:51Z urn:sha1:50d7176333c1be6519b4754bf9059a49dc58eb63 Add a new control/tsp package providing a client for speaking the Tailscale protocol to a coordination server over Noise, along with a cmd/tsp binary exposing it as a low-level composable tool for generating keys, registering nodes, and issuing map requests. Previously developed out-of-tree at github.com/bradfitz/tsp; imported here without git history. Updates #12542 Change-Id: I6ad21143c4aefe8939d4a46ae65b2184173bf69f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2026-04-15T18:11:14Z Jonathan Nobels jnobels@gmail.com 2026-04-15T18:11:14Z urn:sha1:acc43356c632cec5b642ab93fa393684cea09b6a fixes tailscale/corp#39422 Updates tailscale/certstore for properly macOS support and builds the request signing support into macOS builds. iOS and builds that do not use cGo are omitted. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com> 2026-04-15T17:54:08Z Anton Tolchanov anton@tailscale.com 2026-04-14T12:27:06Z urn:sha1:958bcda5bff512876c5d11aa10af4b056ca62c4b If we get a 429 response during node registration, use the `Retry-After` header for backoff instead of the regular exponential backoff. The rate limiter error is propagated to the user, just like other registration errors are, e.g. ``` $ tailscale up backend error: node registration rate limited; will retry after 57s exit status 1 ``` Updates tailscale/corp#39533 Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2026-04-15T15:05:57Z Brad Fitzpatrick bradfitz@tailscale.com 2026-04-15T14:37:33Z urn:sha1:dbf468740b49f06828d5c8f9bc30f0c51cba4496 Add an opt-in metrics.LabelMap tracking why patchifyPeer fails to convert a PeersChanged entry into a PeersChangedPatch. The stats are gated behind the TS_DEBUG_PATCHIFY_PEER_MISS envknob so there is zero overhead in normal operation. peerChangeDiff now takes an optional onFalse callback that is called with the field name on every non-patchable return path. When the envknob is off, nil is passed and replaced with a no-op at the top of peerChangeDiff. The resulting metric renders as: counter_patchify_miss{why="Hostinfo"} 2 counter_patchify_miss{why="peer_not_found"} 1170 Updates tailscale/corp#40088 Change-Id: I2d4b9074bf42ec03ab296c0629a54106bafa873e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2026-04-15T07:53:40Z Claus Lensbøl claus@tailscale.com 2026-04-15T07:53:40Z urn:sha1:61c95f409c90728d3c3ad2627ea77fa4e1a48390 On some nodes (found via natlab), the existing nodes last seen could be unset. For these cases, we would want to accept the key and write a last seen. This was breaking the cached netmap natlab tests. Updates #12639 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2026-04-14T12:43:07Z Claus Lensbøl claus@tailscale.com 2026-04-14T12:43:07Z urn:sha1:27f1d4c15ddf725b83db1a34ed443b9165ce9e7a The previous filters would allow for a handful of subtle issues such as updating the last seen date when the key or online status had not changed, and making online keys unconditionally make an engine update. These have been fixed along side making no change updates from TSMP into a no-op for the engine so we don't have to reconfigure. A bunch of additional testing has been added as well. Updates #12639 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2026-04-08T13:01:07Z Claus Lensbøl claus@tailscale.com 2026-04-08T13:01:07Z urn:sha1:9e68841939170ae132935e26e5e200066b1f62c3 Instead of generating the full netmap, just fetch the peers out the the existing peers map. The extra usage was introduced with netmap caching, but there is no need to call the netmap to get this information, rather the existing peermap can be used. Updates #12639 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2026-04-08T01:10:54Z Brad Fitzpatrick bradfitz@tailscale.com 2026-04-07T19:09:19Z urn:sha1:a182b864ace45ee69830973a157fdaa07e9e4d3d Add ExtraRootCAs *x509.CertPool to tsd.System and plumb it through the control client, noise transport, DERP, and wgengine layers so that platforms like Android can inject user-installed CA certificates into Go's TLS verification. tlsdial.Config now honors base.RootCAs as additional trusted roots, tried after system roots and before the baked-in LetsEncrypt fallback. SetConfigExpectedCert gets the same treatment for domain-fronted DERP. The Android client will set sys.ExtraRootCAs with a pool built from x509.SystemCertPool + user-installed certs obtained via the Android KeyStore API, replacing the current SSL_CERT_DIR environment variable approach. Updates #8085 Change-Id: Iecce0fd140cd5aa0331b124e55a7045e24d8e0c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2026-04-07T12:52:55Z Claus Lensbøl claus@tailscale.com 2026-04-07T12:52:55Z urn:sha1:d44649a9e48137f5954fad6e7b1410f94a8a44c4 After moving around locks in 4334dfa7d5ccbee1daf5acf30b33557bbca66525, a data race were made possible. Introduce an RWlock to the mapSession itself for fetching peers. Fixes #19260 Signed-off-by: Claus Lensbøl <claus@tailscale.com>