diff --git a/README.md b/README.md
index a7afedaa..04aa4ebd 100644
--- a/README.md
+++ b/README.md
@@ -921,10 +921,10 @@ SOFTWARE.
 [vscode-armhf-shield]: https://img.shields.io/badge/armhf-no-red.svg
 [vscode-armv7-shield]: https://img.shields.io/badge/armv7-no-red.svg
 [vscode-i386-shield]: https://img.shields.io/badge/i386-no-red.svg
-[addon-tailscale]: https://github.com/hassio-addons/addon-tailscale/tree/v0.12.0
-[addon-doc-tailscale]: https://github.com/hassio-addons/addon-tailscale/blob/v0.12.0/README.md
+[addon-tailscale]: https://github.com/hassio-addons/addon-tailscale/tree/v0.13.0
+[addon-doc-tailscale]: https://github.com/hassio-addons/addon-tailscale/blob/v0.13.0/README.md
 [tailscale-issue]: https://github.com/hassio-addons/addon-tailscale/issues
-[tailscale-version-shield]: https://img.shields.io/badge/version-v0.12.0-blue.svg
+[tailscale-version-shield]: https://img.shields.io/badge/version-v0.13.0-blue.svg
 [tailscale-aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
 [tailscale-amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
 [tailscale-armhf-shield]: https://img.shields.io/badge/armhf-no-red.svg
diff --git a/tailscale/CHANGELOG.md b/tailscale/CHANGELOG.md
index c007f0d8..7e3f34fc 100644
--- a/tailscale/CHANGELOG.md
+++ b/tailscale/CHANGELOG.md
@@ -1,75 +1,24 @@
 ## What’s changed
 
-Major updates and tons of new features!
+## 🚨 Breaking changes
 
-Special thanks to @lmagyar, @willnorris, @reey and @bitfliq  for their contributions and work on this ❤️ 
-
-## ✨ New features
-
-- Make exit node advertisement configurable @frenck ([#183](https://github.com/hassio-addons/addon-tailscale/pull/183))
-- Make Taildrop configurable @frenck ([#185](https://github.com/hassio-addons/addon-tailscale/pull/185))
-- Drop userspace networking @frenck ([#181](https://github.com/hassio-addons/addon-tailscale/pull/181))
-- Make accepting magicDNS optional @frenck ([#194](https://github.com/hassio-addons/addon-tailscale/pull/194))
-- Enable Tailscale's builtin inbound HTTPS proxy @lmagyar ([#137](https://github.com/hassio-addons/addon-tailscale/pull/137))
-- Enable Tailscale's Funnel feature @lmagyar ([#197](https://github.com/hassio-addons/addon-tailscale/pull/197))
-- make accepting subnet routes optional @willnorris ([#252](https://github.com/hassio-addons/addon-tailscale/pull/252))
-- Make userspace networking configurable @lmagyar ([#199](https://github.com/hassio-addons/addon-tailscale/pull/199))
-- Make advertise routes configurable @lmagyar ([#253](https://github.com/hassio-addons/addon-tailscale/pull/253))
-- Clamp the MSS to the MTU for all advertised subnet's interface @lmagyar ([#222](https://github.com/hassio-addons/addon-tailscale/pull/222))
-- Make subnet source NAT configurable @lmagyar ([#223](https://github.com/hassio-addons/addon-tailscale/pull/223))
+- Proxy and Funnel are disabled by default @lmagyar ([#273](https://github.com/hassio-addons/addon-tailscale/pull/273))
+- Drop support for armhf & i386 @frenck ([#282](https://github.com/hassio-addons/addon-tailscale/pull/282))
 
 ## 🐛 Bug fixes
 
-- Fix login-server option @reey ([#184](https://github.com/hassio-addons/addon-tailscale/pull/184))
-- Remove duplicate status checks from dependent S6 services @lmagyar ([#196](https://github.com/hassio-addons/addon-tailscale/pull/196))
+- Fix local subnet protection @lmagyar ([#275](https://github.com/hassio-addons/addon-tailscale/pull/275))
 
 ## 🚀 Enhancements
 
-- Create fallback page for iOS browsers failing to open Tailscale login page @bitfliq ([#198](https://github.com/hassio-addons/addon-tailscale/pull/198))
-- Do not opt out of client log upload in debug log level @lmagyar ([#212](https://github.com/hassio-addons/addon-tailscale/pull/212))
-- Warn about key expiration @lmagyar ([#255](https://github.com/hassio-addons/addon-tailscale/pull/255))
-- Use new .Self.CapMap in status JSON for HTTPS support check @lmagyar ([#260](https://github.com/hassio-addons/addon-tailscale/pull/260))
-- Protect local subnets from being routed toward Tailscale subnets if they collide @lmagyar ([#201](https://github.com/hassio-addons/addon-tailscale/pull/201))
+- Test Home Assistant's HTTP reverse proxy configuration on add-on startup @lmagyar ([#254](https://github.com/hassio-addons/addon-tailscale/pull/254))
+- Protect local subnets only if accepting routes are enabled @lmagyar ([#283](https://github.com/hassio-addons/addon-tailscale/pull/283))
 
 ## 📚 Documentation
 
-- Add taildrop to example configuration @lmagyar ([#188](https://github.com/hassio-addons/addon-tailscale/pull/188))
-- Device limit update in DOCS.md @lmagyar ([#192](https://github.com/hassio-addons/addon-tailscale/pull/192))
-- Add docs for accept_dns @frenck ([#195](https://github.com/hassio-addons/addon-tailscale/pull/195))
-- Fix CONTRIBUTING Link in README.md @senden9 ([#232](https://github.com/hassio-addons/addon-tailscale/pull/232))
-- Rearrange proxy documentation into alphabetical order @lmagyar ([#240](https://github.com/hassio-addons/addon-tailscale/pull/240))
-- Update Installation section in documentation @lmagyar ([#242](https://github.com/hassio-addons/addon-tailscale/pull/242))
+- Documentation improvements @lmagyar ([#274](https://github.com/hassio-addons/addon-tailscale/pull/274))
 
 ## ⬆️ Dependency updates
 
-- ⬆️ Update Add-on base image to v13.2.2 @renovate ([#189](https://github.com/hassio-addons/addon-tailscale/pull/189))
-- ⬆️ Update tailscale/tailscale to v1.40.0 @renovate ([#191](https://github.com/hassio-addons/addon-tailscale/pull/191))
-- ⬆️ Update tailscale/tailscale to v1.40.1 @renovate ([#200](https://github.com/hassio-addons/addon-tailscale/pull/200))
-- ⬆️ Update Add-on base image to v14 (major) @renovate ([#202](https://github.com/hassio-addons/addon-tailscale/pull/202))
-- ⬆️ Update alpine_3_18/nginx to v1.24.0-r4 @renovate ([#205](https://github.com/hassio-addons/addon-tailscale/pull/205))
-- ⬆️ Update alpine_3_18/nginx to v1.24.0-r5 @renovate ([#206](https://github.com/hassio-addons/addon-tailscale/pull/206))
-- ⬆️ Update tailscale/tailscale to v1.42.0 @renovate ([#207](https://github.com/hassio-addons/addon-tailscale/pull/207))
-- ⬆️ Update alpine_3_18/nginx to v1.24.0-r6 @renovate ([#208](https://github.com/hassio-addons/addon-tailscale/pull/208))
-- ⬆️ Update Add-on base image to v14.0.1 @renovate ([#215](https://github.com/hassio-addons/addon-tailscale/pull/215))
-- ⬆️ Update Add-on base image to v14.0.2 @renovate ([#217](https://github.com/hassio-addons/addon-tailscale/pull/217))
-- ⬆️ Update tailscale/tailscale to v1.44.0 @renovate ([#218](https://github.com/hassio-addons/addon-tailscale/pull/218))
-- ⬆️ Update Add-on base image to v14.0.3 @renovate ([#228](https://github.com/hassio-addons/addon-tailscale/pull/228))
-- ⬆️ Update tailscale/tailscale to v1.44.2 @renovate ([#230](https://github.com/hassio-addons/addon-tailscale/pull/230))
-- ⬆️ Update tailscale/tailscale to v1.46.0 @renovate ([#231](https://github.com/hassio-addons/addon-tailscale/pull/231))
-- ⬆️ Update tailscale/tailscale to v1.46.1 @renovate ([#234](https://github.com/hassio-addons/addon-tailscale/pull/234))
-- ⬆️ Update Add-on base image to v14.0.5 @renovate ([#233](https://github.com/hassio-addons/addon-tailscale/pull/233))
-- ⬆️ Update Add-on base image to v14.0.6 @renovate ([#235](https://github.com/hassio-addons/addon-tailscale/pull/235))
-- ⬆️ Update Add-on base image to v14.0.7 @renovate ([#237](https://github.com/hassio-addons/addon-tailscale/pull/237))
-- ⬆️ Update Add-on base image to v14.0.8 @renovate ([#238](https://github.com/hassio-addons/addon-tailscale/pull/238))
-- ⬆️ Update Add-on base image to v14.1.0 @renovate ([#241](https://github.com/hassio-addons/addon-tailscale/pull/241))
-- ⬆️ Update tailscale/tailscale to v1.48.0 @renovate ([#243](https://github.com/hassio-addons/addon-tailscale/pull/243))
-- ⬆️ Update tailscale/tailscale to v1.48.1 @renovate ([#245](https://github.com/hassio-addons/addon-tailscale/pull/245))
-- ⬆️ Update tailscale/tailscale to v1.48.2 @renovate ([#256](https://github.com/hassio-addons/addon-tailscale/pull/256))
-- ⬆️ Update Add-on base image to v14.1.1 @renovate ([#257](https://github.com/hassio-addons/addon-tailscale/pull/257))
-- ⬆️ Update tailscale/tailscale to v1.50.0 @renovate ([#259](https://github.com/hassio-addons/addon-tailscale/pull/259))
-- ⬆️ Update ghcr.io/hassio-addons/base/i386 Docker tag to v14.1.3 @renovate ([#261](https://github.com/hassio-addons/addon-tailscale/pull/261))
-- ⬆️ Update Add-on base image to v14.1.3 @renovate ([#262](https://github.com/hassio-addons/addon-tailscale/pull/262))
-- ⬆️ Update Add-on base image to v14.2.0 @renovate ([#263](https://github.com/hassio-addons/addon-tailscale/pull/263))
-- ⬆️ Update tailscale/tailscale to v1.50.1 @renovate ([#264](https://github.com/hassio-addons/addon-tailscale/pull/264))
-- ⬆️ Update Add-on base image to v14.2.1 @renovate ([#267](https://github.com/hassio-addons/addon-tailscale/pull/267))
-- ⬆️ Update Add-on base image to v14.2.2 @renovate ([#270](https://github.com/hassio-addons/addon-tailscale/pull/270))
+- ⬆️ Update alpine_3_18/nginx to v1.24.0-r7 @renovate ([#271](https://github.com/hassio-addons/addon-tailscale/pull/271))
+- ⬆️ Update Add-on base image to v14.3.0 @renovate ([#281](https://github.com/hassio-addons/addon-tailscale/pull/281))
diff --git a/tailscale/DOCS.md b/tailscale/DOCS.md
index 55c9b7a6..4b92b372 100644
--- a/tailscale/DOCS.md
+++ b/tailscale/DOCS.md
@@ -28,8 +28,6 @@ however, it is nice to know where you need to go later on.
    [![Open this add-on in your Home Assistant instance.][addon-badge]][addon]
 
 1. Click the "Install" button to install the add-on.
-1. **See the "Option: `proxy`" section of this documentation for the necessary
-   configuration changes in Home Assistant!**
 1. Start the "Tailscale" add-on.
 1. Check the logs of the "Tailscale" add-on to see if everything went well.
 1. Open the Web UI of the "Tailscale" add-on to complete authentication and
@@ -51,9 +49,9 @@ network right from their interface.
 <https://login.tailscale.com/>
 
 The add-on exposes "Exit Node" capabilities that you can enable from your
-Tailscale account. Additionally, if the Supervisor managed your network (
-which is the default), the add-on will also advertise routes to your
-subnets on all supported interfaces to Tailscale.
+Tailscale account. Additionally, if the Supervisor managed your network (which
+is the default), the add-on will also advertise routes to your subnets on all
+supported interfaces to Tailscale.
 
 Consider disabling key expiry to avoid losing connection to your Home Assistant
 device. See [Key expiry][tailscale_info_key_expiry] for more information.
@@ -62,13 +60,13 @@ device. See [Key expiry][tailscale_info_key_expiry] for more information.
 accept_dns: true
 accept_routes: true
 advertise_exit_node: true
-funnel: true
 advertise_routes:
   - 192.168.1.0/24
   - fd12:3456:abcd::/64
+funnel: false
 log_level: info
 login_server: "https://controlplane.tailscale.com"
-proxy: true
+proxy: false
 snat_subnet_routes: true
 tags:
   - tag:example
@@ -94,7 +92,7 @@ by adding `100.100.100.100` as a DNS server in your Pi-hole or AdGuard Home.
 This option allows you to accept subnet routes advertised by other nodes in
 your tailnet.
 
-More information: <https://tailscale.com/kb/1019/subnets/>
+More information: [Subnet routers][tailscale_info_subnets]
 
 When not set, this option is enabled by default.
 
@@ -105,7 +103,7 @@ This option allows you to advertise this Tailscale instance as an exit node.
 By setting a device on your network as an exit node, you can use it to
 route all your public internet traffic as needed, like a consumer VPN.
 
-More information: <https://tailscale.com/kb/1103/exit-nodes/>
+More information: [Exit nodes][tailscale_info_exit_nodes]
 
 When not set, this option is enabled by default.
 
@@ -132,7 +130,7 @@ This requires Tailscale Proxy to be enabled.
 **Important:** See also the "Option: `proxy`" section of this documentation for the
 necessary configuration changes in Home Assistant!
 
-When not set, this option is enabled by default.
+When not set, this option is disabled by default.
 
 With the Tailscale Funnel feature, you can access your Home Assistant instance
 from the wider internet using your Tailscale domain (like
@@ -149,20 +147,11 @@ proxying for HTTPS communication.
 
 More information: [Tailscale Funnel][tailscale_info_funnel]
 
-1. Navigate to the [Access controls page][tailscale_acls] of the admin console,
-   and add the below policy entries to the policy file. See [Server role
-   accounts using ACL tags][tailscale_info_acls] for more information.
+1. Navigate to the [Access controls page][tailscale_acls] of the admin console:
 
-   ```json
-   {
-     "nodeAttrs": [
-       {
-         "target": ["autogroup:members"],
-         "attr": ["funnel"]
-       }
-     ]
-   }
-   ```
+   - Add the required `funnel` node attribute to the tailnet policy file. See
+     [Tailnet policy file requirement][tailscale_info_funnel_policy_requirement]
+     for more information.
 
 1. Restart the add-on.
 
@@ -202,36 +191,13 @@ you are troubleshooting.
 
 ### Option: `login_server`
 
-This option lets you specify you to specify a custom control server instead of
-the default (`https://controlplane.tailscale.com`). This is useful if you
-are running your own Tailscale control server, for example, a self-hosted
-[Headscale] instance.
-
-### Option: `userspace_networking`
-
-The add-on uses [userspace networking mode][tailscale_info_userspace_networking]
-to make your Home Assistant instance (and optionally the local subnets)
-accessible within your tailnet.
-
-When not set, this option is enabled by default.
-
-If you need to access other clients on your tailnet from your Home Assistant
-instance, disable userspace networking mode, which will create a `tailscale0`
-network interface on your host.
-
-If you want to access other clients on your tailnet even from your local subnet,
-execute steps 2 and 3 as described on [Site-to-site
-networking][tailscale_info_site_to_site].
-
-In case your local subnets collide with subnet routes within your tailnet, your
-local network access has priority, and these addresses won't be routed toward
-your tailnet. This will prevent your Home Assistant instance from losing network
-connection. This also means that using the same subnet on multiple nodes for load
-balancing and failover is impossible with the current add-on behavior.
+This option lets you to specify a custom control server instead of the default
+(`https://controlplane.tailscale.com`). This is useful if you are running your
+own Tailscale control server, for example, a self-hosted [Headscale] instance.
 
 ### Option: `proxy`
 
-When not set, this option is enabled by default.
+When not set, this option is disabled by default.
 
 Tailscale can provide a TLS certificate for your Home Assistant instance within
 your tailnet domain.
@@ -260,7 +226,7 @@ More information: [Enabling HTTPS][tailscale_info_https]
 
 1. Navigate to the [DNS page][tailscale_dns] of the admin console:
 
-   - Choose a Tailnet name.
+   - Choose a tailnet name.
 
    - Enable MagicDNS if not already enabled.
 
@@ -288,7 +254,7 @@ only when you really understand why you need this.
 This option allows you to specify specific ACL tags for this Tailscale
 instance. They need to start with `tag:`.
 
-More information: <https://tailscale.com/kb/1068/acl-tags/>
+More information: [ACL tags][tailscale_info_acls]
 
 ### Option: `taildrop`
 
@@ -300,6 +266,28 @@ When not set, this option is enabled by default.
 
 Received files are stored in the `/share/taildrop` directory.
 
+### Option: `userspace_networking`
+
+The add-on uses [userspace networking mode][tailscale_info_userspace_networking]
+to make your Home Assistant instance (and optionally the local subnets)
+accessible within your tailnet.
+
+When not set, this option is enabled by default.
+
+If you need to access other clients on your tailnet from your Home Assistant
+instance, disable userspace networking mode, which will create a `tailscale0`
+network interface on your host.
+
+If you want to access other clients on your tailnet even from your local subnet,
+execute steps 2 and 3 as described on [Site-to-site
+networking][tailscale_info_site_to_site].
+
+In case your local subnets collide with subnet routes within your tailnet, your
+local network access has priority, and these addresses won't be routed toward
+your tailnet. This will prevent your Home Assistant instance from losing network
+connection. This also means that using the same subnet on multiple nodes for load
+balancing and failover is impossible with the current add-on behavior.
+
 ## Changelog & Releases
 
 This repository keeps a change log using [GitHub's releases][releases]
@@ -376,8 +364,11 @@ SOFTWARE.
 [tailscale_acls]: https://login.tailscale.com/admin/acls
 [tailscale_dns]: https://login.tailscale.com/admin/dns
 [tailscale_info_acls]: https://tailscale.com/kb/1068/acl-tags/
+[tailscale_info_exit_nodes]: https://tailscale.com/kb/1103/exit-nodes/
 [tailscale_info_funnel]: https://tailscale.com/kb/1223/tailscale-funnel/
+[tailscale_info_funnel_policy_requirement]: https://tailscale.com/kb/1223/tailscale-funnel/#tailnet-policy-file-requirement
 [tailscale_info_https]: https://tailscale.com/kb/1153/enabling-https/
 [tailscale_info_key_expiry]: https://tailscale.com/kb/1028/key-expiry/
 [tailscale_info_site_to_site]: https://tailscale.com/kb/1214/site-to-site/
+[tailscale_info_subnets]: https://tailscale.com/kb/1019/subnets/
 [tailscale_info_userspace_networking]: https://tailscale.com/kb/1112/userspace-networking/
diff --git a/tailscale/README.md b/tailscale/README.md
index 3624a930..3a4692fd 100644
--- a/tailscale/README.md
+++ b/tailscale/README.md
@@ -45,5 +45,5 @@ If you are more interested in stable releases of our add-ons:
 [patreon-shield]: https://frenck.dev/wp-content/uploads/2019/12/patreon.png
 [patreon]: https://www.patreon.com/frenck
 [project-stage-shield]: https://img.shields.io/badge/project%20stage-experimental-yellow.svg
-[release-shield]: https://img.shields.io/badge/version-v0.12.0-blue.svg
-[release]: https://github.com/hassio-addons/addon-tailscale/tree/v0.12.0
\ No newline at end of file
+[release-shield]: https://img.shields.io/badge/version-v0.13.0-blue.svg
+[release]: https://github.com/hassio-addons/addon-tailscale/tree/v0.13.0
\ No newline at end of file
diff --git a/tailscale/config.yaml b/tailscale/config.yaml
index c5147ff6..712918c6 100644
--- a/tailscale/config.yaml
+++ b/tailscale/config.yaml
@@ -1,5 +1,5 @@
 name: Tailscale
-version: 0.12.0
+version: 0.13.0
 slug: tailscale
 description: Zero config VPN for building secure networks
 url: https://github.com/hassio-addons/addon-tailscale
@@ -12,9 +12,7 @@ panel_icon: mdi:vpn
 arch:
 - aarch64
 - amd64
-- armhf
 - armv7
-- i386
 init: false
 hassio_api: true
 host_network: true
diff --git a/tailscale/translations/en.yaml b/tailscale/translations/en.yaml
index 9e583c2a..1c01595c 100644
--- a/tailscale/translations/en.yaml
+++ b/tailscale/translations/en.yaml
@@ -7,7 +7,7 @@ configuration:
       disable, you can do so using this option.
       When not set, this option is enabled by default.
   accept_routes:
-    name: Accept Routes
+    name: Accept routes
     description: >-
       This option allows you to accept subnet routes advertised by other nodes
       in your tailnet.
@@ -32,7 +32,7 @@ configuration:
       This option allows you to enable Tailscale's Funnel feature to present your
       Home Assistant instance on the wider internet using your Tailscale domain.
       This requires Tailscale Proxy to be enabled.
-      When not set, this option is enabled by default.
+      When not set, this option is disabled by default.
   log_level:
     name: Log level
     description: >-
@@ -49,7 +49,7 @@ configuration:
     description: >-
       This option allows you to enable Tailscale's Proxy feature to present your
       Home Assistant instance on your tailnet with a valid certificate.
-      When not set, this option is enabled by default.
+      When not set, this option is disabled by default.
   snat_subnet_routes:
     name: Source NAT subnet routes
     description: >-
@@ -73,7 +73,7 @@ configuration:
     name: Userspace networking mode
     description: >-
       This option allows you to enable userspace networking mode.
-      If you need to access other clients on your Tailnet from your Home
+      If you need to access other clients on your tailnet from your Home
       Assistant instance, disable userspace networking mode, which will create a
       `tailscale0` network interface on your host.
       When not set, this option is enabled by default.