This month at Tailscale for April 2026

Source: Tailscale Blog

We continuously ship updates to make your network more reliable, manageable, and secure. Each month, we highlight some of the most impactful changes across clients, admin tools, integrations, and infrastructure—so you can stay on top of what’s new and what’s better.

Here’s a rundown of what’s changed in Tailscale’s software since our last blog update in late March 2026. For instructions on how to update to the latest version, visit our update guide.

Aperture updates

• New: Create custom guardrails with pre‑LLM‑call hooks to strip or block PII and restrict specific agent tools before requests reach the LLM.
• New: Configure log retention time down to zero for request/response capture logs, with S3‑compatible export supported.
• New: Audit logs for configuration changes and when admins view logs owned by other users are available via a new API endpoint and UI.
• Changed: Set customizable quotas across providers, models, users, agents, or individual agent runs.

API‑only tailnets and OAuth clients

• New: API‑only tailnets can be accessed by any OAuth client with the all scope in the creating tailnet.

Client updates

v1.96.5

These notable changes include all updates from versions 1.96.4 to 1.96.5. For detailed notes on each release, see our changelog.

Linux

• Fixed: An issue on forks of Linux caused by fallback‑on‑ENOSYS logic is resolved (also on Synology).
• Fixed: An issue that could cause a segmentation violation during startup on MIPS devices is resolved.

iOS/tvOS

• Fixed: An issue that could cause the network extension to encounter an out‑of‑memory condition on large tailnets is resolved.

Android

• Fixed: An issue causing a deadlock when disconnecting from a tailnet is resolved.

Container, Kubernetes, and tsrecorder updates

Container image v1.96.5

• New: Services are now automatically advertised on startup. This can be disabled by setting the new environment variable TS_EXPERIMENTAL_SERVICE_AUTO_ADVERTISEMENT to false.
• Fixed: The Tailscale container no longer tries to create a secret using TS_KUBE_SECRET when the variable is empty.

Kubernetes operator v1.96.5

• New: Ingress and Egress ProxyGroup pods can request a new authkey when required.
• New: Multiple tailnet access can be enabled with the new Tailnet custom resource.
• New: ProxyGroup creation controls can be managed by namespace with the new ProxyGroupPolicy custom resource.
• Changed: The environment variable TS_EXPERIMENTAL_KUBE_API_EVENTS is removed; this can instead be set via Tailscale ACLs.
• Fixed: The environment variable TS_LOCAL_ADDR_PORT no longer fails when populated with an IPv6 address without brackets.

tsrecorder v1.96.5

• Changed: The Recorder CRD now defaults to deploying a single‑replica StatefulSet, using the filesystem storage backend.

Those are the highlights for recent weeks. If you have questions or feedback, we’re here to help. Thank you for using Tailscale.