headscale | v0.29.0

headscale v0.29.0 released on 17-06-2026


headscale v0.29.0 is out now. Operators and teams wanting closer parity with Tailscale get first‑class grants (ip/app/via), finer nodeAttrs controls and Taildrive policy, plus SSH check actions and beta policy/SSH tests for validation.

See the project release notes on GitHub and the upgrade guide (https://headscale.net/stable/setup/upgrade/) for the full changelog and upgrade steps.

What’s in this release

  • Support for Tailscale-style policy grants (ip, app, via) alongside ACLs, and a new autogroup:danger-all (source-only) that resolves to all IPs.
  • ACLs gain nodeAttrs (per-target capability caps) and a top-level policy.randomizeClientPort; Taildrive (drive:share / drive:access and tailscale.com/cap/drive) is configurable via grants and nodeAttrs; auto_update.enabled sets the tailnet default for client auto-updates.
  • Policy tests and sshTests are available in beta and are evaluated on user policy writes, SIGHUP reload and headscale policy check — failing tests reject writes or log a warning at boot while coverage expands.

Upgrade notes

  • The old server-config key randomize_client_port has been removed. Move this toggle into your policy file as the top-level randomizeClientPort field (headscale will refuse to start if the old key is present). See the upgrade guide for exact steps.
  • Headscale now enforces a strict upgrade path: do not skip minor versions and do not downgrade across minor versions. Rollbacks across minors are blocked; follow the documented upgrade sequence.

Tell the project about your upgrade experience or any issues you hit — feedback on the GitHub repository is appreciated.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes