headscale v0.29.0 released on 17-06-2026

headscale v0.29.0 is out now. Operators and teams wanting closer parity with Tailscale get first‑class grants (ip/app/via), finer nodeAttrs controls and Taildrive policy, plus SSH check actions and beta policy/SSH tests for validation.
See the project release notes on GitHub and the upgrade guide (https://headscale.net/stable/setup/upgrade/) for the full changelog and upgrade steps.
What’s in this release
- Support for Tailscale-style policy grants (ip, app, via) alongside ACLs, and a new autogroup:danger-all (source-only) that resolves to all IPs.
- ACLs gain nodeAttrs (per-target capability caps) and a top-level policy.randomizeClientPort; Taildrive (drive:share / drive:access and tailscale.com/cap/drive) is configurable via grants and nodeAttrs; auto_update.enabled sets the tailnet default for client auto-updates.
- Policy tests and sshTests are available in beta and are evaluated on user policy writes, SIGHUP reload and headscale policy check — failing tests reject writes or log a warning at boot while coverage expands.
Upgrade notes
- The old server-config key randomize_client_port has been removed. Move this toggle into your policy file as the top-level randomizeClientPort field (headscale will refuse to start if the old key is present). See the upgrade guide for exact steps.
- Headscale now enforces a strict upgrade path: do not skip minor versions and do not downgrade across minor versions. Rollbacks across minors are blocked; follow the documented upgrade sequence.
Tell the project about your upgrade experience or any issues you hit — feedback on the GitHub repository is appreciated.


