- Code reorganisation, a lot of code has moved, please review the following PRs accordingly #1444
- Added missing ca-certificates in Docker image #1463
- Add environment flags to enable pprof (profiling) #1382
- Profiles are continously generated in our integration tests.
- Fix systemd service file location in
.deb
packages #1391 - Improvements on Noise implementation #1379
- Replace node filter logic, ensuring nodes with access can see eachother #1381
- Disable (or delete) both exit routes at the same time #1428
- Ditch distroless for Docker image, create default socket dir in
/var/run/headscale
#1450
- Fix issue where systemd could not bind to port 80 #1365
- Add
.deb
packages to release process #1297 - Update and simplify the documentation to use new
.deb
packages #1349 - Add 32-bit Arm platforms to release process #1297
- Fix longstanding bug that would prevent "*" from working properly in ACLs (issue #699) #1279
- Fix issue where IPv6 could not be used in, or while using ACLs (part of #809) #1339
- Target Go 1.20 and Tailscale 1.38 for Headscale #1323
- Adding "configtest" CLI command. #1230
- Add documentation on connecting with iOS to
/apple
#1261 - Update iOS compatibility and added documentation for iOS #1264
- Allow to delete routes #1244
- Fix wrong behaviour in exit nodes #1159
- Align behaviour of
dns_config.restricted_nameservers
to tailscale #1162 - Make OpenID Connect authenticated client expiry time configurable #1191
- defaults to 180 days like Tailscale SaaS
- adds option to use the expiry time from the OpenID token for the node (see config-example.yaml)
- Set ControlTime in Map info sent to nodes #1195
- Populate Tags field on Node updates sent #1195
- Rename Namespace to User #1144
- BACKUP your database before upgrading
- Command line flags previously taking
--namespace
or-n
will now require--user
or-u
- Reworked routing and added support for subnet router failover #1024
- Added an OIDC AllowGroups Configuration options and authorization check #1041
- Set
db_ssl
to false by default #1052 - Fix duplicate nodes due to incorrect implementation of the protocol #1058
- Report if a machine is online in CLI more accurately #1062
- Added config option for custom DNS records #1035
- Expire nodes based on OIDC token expiry #1067
- Remove ephemeral nodes on logout #1098
- Performance improvements in ACLs #1129
- OIDC client secret can be passed via a file #1127
- Correct typo on macOS standalone profile link #1028
- Update platform docs with Fast User Switching #1016
noise.private_key_path
has been added and is required for the new noise protocol.- Log level option
log_level
was moved to a distinctlog
config section and renamed tolevel
#768 - Removed Alpine Linux container image #962
- Added support for Tailscale TS2021 protocol #738
- Add experimental support for SSH ACL (see docs for limitations) #847
- Please note that this support should be considered partially implemented
- SSH ACLs status:
- Support
accept
andcheck
(SSH can be enabled and used for connecting and authentication) - Rejecting connections are not supported, meaning that if you enable SSH, then assume that all
ssh
connections will be allowed. - If you decied to try this feature, please carefully managed permissions by blocking port
22
with regular ACLs or do not set--ssh
on your clients. - We are currently improving our testing of the SSH ACLs, help us get an overview by testing and giving feedback.
- Support
- This feature should be considered dangerous and it is disabled by default. Enable by setting
HEADSCALE_EXPERIMENTAL_FEATURE_SSH=1
.
- Add ability to specify config location via env var
HEADSCALE_CONFIG
#674 - Target Go 1.19 for Headscale #778
- Target Tailscale v1.30.0 to build Headscale #780
- Give a warning when running Headscale with reverse proxy improperly configured for WebSockets #788
- Fix subnet routers with Primary Routes #811
- Added support for JSON logs #653
- Sanitise the node key passed to registration url #823
- Add support for generating pre-auth keys with tags #767
- Add support for evaluating
autoApprovers
ACL entries when a machine is registered #763 - Add config flag to allow Headscale to start if OIDC provider is down #829
- Fix prefix length comparison bug in AutoApprovers route evaluation #862
- Random node DNS suffix only applied if names collide in namespace. #766
- Remove
ip_prefix
configuration option and warning #899 - Add
dns_config.override_local_dns
option #905 - Fix some DNS config issues #660
- Make it possible to disable TS2019 with build flag #928
- Fix OIDC registration issues #960 and #971
- Add support for specifying NextDNS DNS-over-HTTPS resolver #940
- Make more sslmode available for postgresql connection #927
- Add ability to connect to PostgreSQL over TLS/SSL #745
- Fix CLI registration of expired machines #754
- Fix issue with OIDC authentication #747
- Fixed bugs in the client registration process after migration to NodeKey #735
- Updated dependencies (including the library that lacked armhf support) #722
- Fix missing group expansion in function
excludeCorretlyTaggedNodes
#563 - Improve registration protocol implementation and switch to NodeKey as main identifier #725
- Add ability to connect to PostgreSQL via unix socket #734
Note: Take a backup of your database before upgrading.
- Old ACL syntax is no longer supported ("users" & "ports" -> "src" & "dst"). Please check the new syntax.
- Drop armhf (32-bit ARM) support. #609
- Headscale fails to serve if the ACL policy file cannot be parsed #537
- Fix labels cardinality error when registering unknown pre-auth key #519
- Fix send on closed channel crash in polling #542
- Fixed spurious calls to setLastStateChangeToNow from ephemeral nodes #566
- Add command for moving nodes between namespaces #362
- Added more configuration parameters for OpenID Connect (scopes, free-form paramters, domain and user allowlist)
- Add command to set tags on a node #525
- Add command to view tags of nodes #356
- Add --all (-a) flag to enable routes command #360
- Fix issue where nodes was not updated across namespaces #560
- Add the ability to rename a nodes name #560
- Node DNS names are now unique, a random suffix will be added when a node joins
- This change contains database changes, remember to backup your database before upgrading
- Add option to enable/disable logtail (Tailscale's logging infrastructure) #596
- This change disables the logs by default
- Use [Prometheus]'s duration parser, supporting days (
d
), weeks (w
) and years (y
) #598 - Add support for reloading ACLs with SIGHUP #601
- Use new ACL syntax #618
- Add -c option to specify config file from command line #285 #612
- Add configuration option to allow Tailscale clients to use a random WireGuard port. kb/1181/firewalls #624
- Improve obtuse UX regarding missing configuration (
ephemeral_node_inactivity_timeout
not set) #639 - Fix nodes being shown as 'offline' in
tailscale status
#648 - Improve shutdown behaviour #651
- Drop Gin as web framework in Headscale 648 677
- Make tailnet node updates check interval configurable #675
- Fix regression with HTTP API #684
- nodes ls now print both Hostname and Name(Issue #647 PR #687)
Note: Take a backup of your database before upgrading.
- Boundaries between Namespaces has been removed and all nodes can communicate by default #357
- To limit access between nodes, use ACLs.
/metrics
is now a configurable host:port endpoint: #344. You must update yourconfig.yaml
file to include:metrics_listen_addr: 127.0.0.1:9090
- Add support for writing ACL files with YAML #359
- Users can now use emails in ACL's groups #372
- Add shorthand aliases for commands and subcommands #376
- Add
/windows
endpoint for Windows configuration instructions + registry file download #392 - Added embedded DERP (and STUN) server into Headscale #388
- Fix a bug were the same IP could be assigned to multiple hosts if joined in quick succession #346
- Simplify the code behind registration of machines #366
- Nodes are now only written to database if they are registrated successfully
- Fix a limitation in the ACLs that prevented users to write rules with
*
as source #374 - Reduce the overhead of marshal/unmarshal for Hostinfo, routes and endpoints by using specific types in Machine #371
- Apply normalization function to FQDN on hostnames when hosts registers and retrieve informations #363
- Fix a bug that prevented the use of
tailscale logout
with OIDC #508 - Added Tailscale repo HEAD and unstable releases channel to the integration tests targets #513
**UPCOMING ### BREAKING
From the **next** version (0.15.0
), all machines will be able to communicate regardless of
if they are in the same namespace. This means that the behaviour currently limited to ACLs
will become default. From version 0.15.0
, all limitation of communications must be done
with ACLs.
This is a part of aligning headscale
's behaviour with Tailscale's upstream behaviour.
- ACLs have been rewritten to align with the bevaviour Tailscale Control Panel provides. NOTE: This is only active if you use ACLs
- Namespaces are now treated as Users
- All machines can communicate with all machines by default
- Tags should now work correctly and adding a host to Headscale should now reload the rules.
- The documentation have a fictional example that should cover some use cases of the ACLs features
- Remove dependency on CGO (switch from CGO SQLite to pure Go) #346
0.13.0 (2022-02-18):
- Add IPv6 support to the prefix assigned to namespaces
- Add API Key support
- Enable remote control of
headscale
via CLI docs - Enable HTTP API (beta, subject to change)
- Enable remote control of
- OpenID Connect users will be mapped per namespaces
- Each user will get its own namespace, created if it does not exist
oidc.domain_map
option has been removedstrip_email_domain
option has been added (see config-example.yaml)
ip_prefix
is now superseded byip_prefixes
in the configuration #208- Upgrade
tailscale
(1.20.4) and other dependencies to latest #314 - fix swapped machine<->namespace labels in
/metrics
#312 - remove key-value based update mechanism for namespace changes #316
0.12.4 (2022-01-29):
- Make gRPC Unix Socket permissions configurable #292
- Trim whitespace before reading Private Key from file #289
- Add new command to generate a private key for
headscale
#290 - Fixed issue where hosts deleted from control server may be written back to the database, as long as they are connected to the control server #278
Happy New Year!
(We are skipping 0.12.0 to correct a mishap done weeks ago with the version tagging)
- Upgrade to Tailscale 1.18 #229
- This change requires a new format for private key, private keys are now generated automatically:
- Delete your current key
- Restart
headscale
, a new key will be generated. - Restart all Tailscale clients to fetch the new key
- This change requires a new format for private key, private keys are now generated automatically:
- Add gRPC and HTTP API (HTTP API is currently disabled) #204
- Use gRPC between the CLI and the server #206, #212
- Beta OpenID Connect support #126, #227
- Make headscale fetch DERP map from URL and file #196