🎉 Release of add-on Tailscale 0.19.0

README.md

@@ -1050,10 +1050,10 @@ SOFTWARE.
 [vscode-armhf-shield]: https://img.shields.io/badge/armhf-no-red.svg
 [vscode-armv7-shield]: https://img.shields.io/badge/armv7-no-red.svg
 [vscode-i386-shield]: https://img.shields.io/badge/i386-no-red.svg
-[addon-tailscale]: https://github.com/hassio-addons/addon-tailscale/tree/v0.18.0
-[addon-doc-tailscale]: https://github.com/hassio-addons/addon-tailscale/blob/v0.18.0/README.md
+[addon-tailscale]: https://github.com/hassio-addons/addon-tailscale/tree/v0.19.0
+[addon-doc-tailscale]: https://github.com/hassio-addons/addon-tailscale/blob/v0.19.0/README.md
 [tailscale-issue]: https://github.com/hassio-addons/addon-tailscale/issues
-[tailscale-version-shield]: https://img.shields.io/badge/version-v0.18.0-blue.svg
+[tailscale-version-shield]: https://img.shields.io/badge/version-v0.19.0-blue.svg
 [tailscale-aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
 [tailscale-amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
 [tailscale-armhf-shield]: https://img.shields.io/badge/armhf-no-red.svg

tailscale/CHANGELOG.md

@@ -1,10 +1,24 @@
 ## What’s changed
 
+## ✨ New features
+
+- Add app connector option @angel-urena ([#348](https://github.com/hassio-addons/addon-tailscale/pull/348))
+- Make stateful filtering configurable @lmagyar ([#357](https://github.com/hassio-addons/addon-tailscale/pull/357))
+
 ## 🐛 Bug fixes
 
-- Tag names must start with a letter after 'tag:' and contain letters, … @noconnor29 ([#342](https://github.com/hassio-addons/addon-tailscale/pull/342))
+- Fix Linux optimizations @lmagyar ([#360](https://github.com/hassio-addons/addon-tailscale/pull/360))
+- Allow Linux optimizations (UDP GRO for forwarding) on multiple default interfaces and IPv6 @lmagyar ([#361](https://github.com/hassio-addons/addon-tailscale/pull/361))
+
+## 🚀 Enhancements
+
+- Linux optimizations for subnet routers and exit nodes @lmagyar ([#351](https://github.com/hassio-addons/addon-tailscale/pull/351))
+- Fix indentation @lmagyar ([#356](https://github.com/hassio-addons/addon-tailscale/pull/356))
+- Reword app connector option's translation @lmagyar ([#358](https://github.com/hassio-addons/addon-tailscale/pull/358))
 
 ## ⬆️ Dependency updates
 
-- ⬆️ Update Add-on base image to v15.0.8 @renovate ([#344](https://github.com/hassio-addons/addon-tailscale/pull/344))
-- ⬆️ Update tailscale/tailscale to v1.64.0 @renovate ([#346](https://github.com/hassio-addons/addon-tailscale/pull/346))
+- ⬆️ Update alpine_3_19/nginx to v1.24.0-r16 @renovate ([#349](https://github.com/hassio-addons/addon-tailscale/pull/349))
+- ⬆️ Update tailscale/tailscale to v1.66.0 @renovate ([#350](https://github.com/hassio-addons/addon-tailscale/pull/350))
+- ⬆️ Update tailscale/tailscale to v1.66.1 @renovate ([#352](https://github.com/hassio-addons/addon-tailscale/pull/352))
+- ⬆️ Update tailscale/tailscale to v1.66.3 @renovate ([#354](https://github.com/hassio-addons/addon-tailscale/pull/354))

tailscale/DOCS.md

@@ -65,6 +65,7 @@ add-on is restarted._
 accept_dns: true
 accept_routes: true
 advertise_exit_node: true
+advertise_connector: true
 advertise_routes:
   - 192.168.1.0/24
   - fd12:3456:abcd::/64
@@ -74,6 +75,7 @@ login_server: "https://controlplane.tailscale.com"
 proxy: false
 proxy_and_funnel_port: 443
 snat_subnet_routes: true
+stateful_filtering: true
 tags:
   - tag:example
   - tag:homeassistant
@@ -113,6 +115,22 @@ More information: [Exit nodes][tailscale_info_exit_nodes]
 
 When not set, this option is enabled by default.
 
+### Option: `advertise_connector`
+
+This option allows you to advertise this Tailscale instance as an app connector.
+
+When you use an app connector, you specify which applications you wish to make
+accessible over your tailnet, and the domains for those applications. Any traffic
+for that application is then forced over the tailnet to a node running an app
+connector before egressing to the target domains. This is useful for cases where
+the application has an allowlist of IP addresses which can connect to it: the IP
+address of the node running the app connector can be added to the allowlist, and
+all nodes on the tailnet will use that IP address for their traffic egress.
+
+More information: [App connectors][tailscale_info_app_connectors]
+
+When not set, this option is enabled by default.
+
 ### Option: `advertise_routes`
 
 This option allows you to advertise routes to subnets (accessible on the network
@@ -262,8 +280,23 @@ router, and this simplifies routing configuration.
 When not set, this option is enabled by default.
 
 To support advanced [Site-to-site networking][tailscale_info_site_to_site] (eg.
-to traverse multiple networks), you can disable this functionality. But do it
-only when you really understand why you need this.
+to traverse multiple networks), you can disable this functionality, and execute
+steps 2 and 3 as described on [Site-to-site
+networking][tailscale_info_site_to_site]. But do it only when you really
+understand why you need this.
+
+### Option: `stateful_filtering`
+
+This option enables stateful packet filtering on packet-forwarding nodes (exit
+nodes, subnet routers, and app connectors), to only allow return packets for
+existing outbound connections. Inbound packets that don't belong to an existing
+connection are dropped.
+
+When not set, this option is enabled by default.
+
+To support basic [Site-to-site networking][tailscale_info_site_to_site], you can
+disable this functionality, and execute steps 2 and 3 as described on
+[Site-to-site networking][tailscale_info_site_to_site].
 
 ### Option: `tags`
 
@@ -295,8 +328,8 @@ instance, disable userspace networking mode, which will create a `tailscale0`
 network interface on your host.
 
 If you want to access other clients on your tailnet even from your local subnet,
-execute steps 2 and 3 as described on [Site-to-site
-networking][tailscale_info_site_to_site].
+disable `stateful_filtering` and execute steps 2 and 3 as described on
+[Site-to-site networking][tailscale_info_site_to_site].
 
 In case your local subnets collide with subnet routes within your tailnet, your
 local network access has priority, and these addresses won't be routed toward
@@ -381,6 +414,7 @@ SOFTWARE.
 [tailscale_dns]: https://login.tailscale.com/admin/dns
 [tailscale_info_acls]: https://tailscale.com/kb/1068/acl-tags/
 [tailscale_info_exit_nodes]: https://tailscale.com/kb/1103/exit-nodes/
+[tailscale_info_app_connectors]: https://tailscale.com/kb/1281/app-connectors
 [tailscale_info_funnel]: https://tailscale.com/kb/1223/tailscale-funnel/
 [tailscale_info_funnel_policy_requirement]: https://tailscale.com/kb/1223/tailscale-funnel/#tailnet-policy-file-requirement
 [tailscale_info_https]: https://tailscale.com/kb/1153/enabling-https/

tailscale/README.md

@@ -45,5 +45,5 @@ If you are more interested in stable releases of our add-ons:
 [patreon-shield]: https://frenck.dev/wp-content/uploads/2019/12/patreon.png
 [patreon]: https://www.patreon.com/frenck
 [project-stage-shield]: https://img.shields.io/badge/project%20stage-experimental-yellow.svg
-[release-shield]: https://img.shields.io/badge/version-v0.18.0-blue.svg
-[release]: https://github.com/hassio-addons/addon-tailscale/tree/v0.18.0
+[release-shield]: https://img.shields.io/badge/version-v0.19.0-blue.svg
+[release]: https://github.com/hassio-addons/addon-tailscale/tree/v0.19.0

tailscale/config.yaml

@@ -1,5 +1,5 @@
 name: Tailscale
-version: 0.18.0
+version: 0.19.0
 slug: tailscale
 description: Zero config VPN for building secure networks
 url: https://github.com/hassio-addons/addon-tailscale
@@ -28,6 +28,7 @@ schema:
   accept_dns: bool?
   accept_routes: bool?
   advertise_exit_node: bool?
+  advertise_connector: bool?
   advertise_routes:
   - match(^(((25[0-5]|(2[0-4]|1\d|[1-9]?)\d)\.){3}(25[0-5]|(2[0-4]|1\d|[1-9]?)\d)\/(3[0-2]|[12]?\d)|[a-fA-F\d.:]+:[a-fA-F\d.:]+\/(12[0-8]|(1[01]|[1-9]?)\d))$)?
   funnel: bool?
@@ -36,6 +37,7 @@ schema:
   proxy: bool?
   proxy_and_funnel_port: match(^(443|8443|10000)$)?
   snat_subnet_routes: bool?
+  stateful_filtering: bool?
   tags:
   - match(^tag:[a-zA-Z][a-zA-Z0-9-]*$)?
   taildrop: bool?

tailscale/translations/en.yaml

@@ -19,6 +19,14 @@ configuration:
       By setting a device on your network as an exit node, you can use it to
       route all your public internet traffic as needed, like a consumer VPN.
       When not set, this option is enabled by default.
+  advertise_connector:
+    name: Advertise as an app connector
+    description: >-
+      When you use an app connector, you specify which applications you wish to make
+      accessible over your tailnet, and the domains for those applications. Any traffic
+      for that application is then forced over the tailnet to a node running an app
+      connector before egressing to the target domains.
+      When not set, this option is enabled by default.
   advertise_routes:
     name: Advertise subnet routes
     description: >-
@@ -64,6 +72,14 @@ configuration:
       To support advanced Site-to-site networking (eg. to traverse multiple
       networks), you can disable this functionality.
       When not set, this option is enabled by default.
+  stateful_filtering:
+    name: Stateful packet filtering
+    description: >-
+      This option enables stateful packet filtering on packet-forwarding nodes (exit
+      nodes, subnet routers, and app connectors), to only allow return packets for
+      existing outbound connections.
+      To support basic Site-to-site networking, you can disable this functionality.
+      When not set, this option is enabled by default.
   tags:
     name: Tags
     description: >-