tailscale
Identity
- Unit:
tailscaled.service - CLI:
tailscale(client commands) +tailscaled(daemon) - Config:
/etc/default/tailscaled(daemon flags); ACLs managed via Tailscale admin console (HuJSON) - State:
/var/lib/tailscale/ - Logs:
journalctl -u tailscaled - Install:
curl -fsSL https://tailscale.com/install.sh | sh(review before running) or package repo atpkgs.tailscale.com
Key Operations
| Goal | Command |
|---|---|
| Authenticate / bring up | tailscale up |
| Authenticate headless | tailscale up --authkey=<key> |
| Check status | tailscale status |
| Show Tailscale IP | tailscale ip -4 |
| Ping a peer | tailscale ping <peer-name-or-ip> |
| Bring interface down | tailscale down |
| Deauthenticate device | tailscale logout |
| Send file (Taildrop) | tailscale file cp <file> <peer>: |
| SSH to peer | tailscale ssh <peer> |
| Set exit node | tailscale set --exit-node=<peer-name> |
| Clear exit node | tailscale set --exit-node= |
| Advertise as exit node | tailscale up --advertise-exit-node |
| Advertise subnet routes | tailscale up --advertise-routes=192.168.1.0/24 |
| Accept routes from peers | tailscale up --accept-routes |
| Disable MagicDNS | tailscale up --accept-dns=false |
| Re-enable MagicDNS | tailscale up --accept-dns=true |
| Check for updates | tailscale update --check |
| Apply update | tailscale update |
| Show version | tailscale version |
Expected State
tailscale statusshows self and connected peerstailscale ipreturns a100.x.x.xaddress (Tailscale's CGNAT range:100.64.0.0/10)- Interface
tailscale0is present inip link show
Health Checks
systemctl is-active tailscaled→activetailscale status→ shows self entry and peer listtailscale ping <peer>→pong from <peer> (<ip>) via <relay/direct> in Xmstailscale ip -4→ returns a100.x.x.xaddress
Common Failures
| Symptom | Likely cause | Check / Fix |
|---|---|---|
tailscale: command not found or daemon not running |
Not installed or tailscaled stopped |
systemctl start tailscaled; reinstall if needed |
tailscale status shows "NeedsLogin" |
Device not authenticated | tailscale up and complete browser auth, or use --authkey |
MagicDNS names not resolving (<device>.ts.net) |
MagicDNS disabled or accept-dns=false |
tailscale up --accept-dns=true; check admin console DNS settings |
| Subnet routes not reachable | IP forwarding disabled, routes not approved, or clients not accepting | Enable net.ipv4.ip_forward; approve routes in admin console; run tailscale up --accept-routes on clients |
| Exit node not routing traffic | Exit node not approved or client not selecting it | Approve in admin console; tailscale set --exit-node=<name> on client |
| UDP 41641 blocked by firewall | Firewall blocking Tailscale's data plane port | Open UDP 41641; Tailscale falls back to DERP relay but performance degrades |
| Device shows as expired | Auth key or session expired | tailscale up --force-reauth or re-authenticate via admin console |
Pain Points
-
Subnet routing requires three steps: The server advertises (
tailscale up --advertise-routes=192.168.1.0/24), an admin approves the routes in the admin console, and clients enabletailscale up --accept-routes. All three must be true for routing to work. -
Exit node requires three steps: The device advertises (
--advertise-exit-node), an admin approves it in the console, and clients select it (tailscale set --exit-node=<name>). Missing any step means no traffic is rerouted. -
ip_forwardis required for subnet routing and exit nodes: The advertising device must have IP forwarding enabled.echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p -
MagicDNS: Tailscale assigns
<device>.<tailnet>.ts.netnames to each device. Split DNS (forwarding only tailnet names through Tailscale) is configurable in the admin console under DNS settings. Disabling MagicDNS entirely (--accept-dns=false) is the escape hatch if Tailscale's DNS overrides conflict with local resolver setup. -
Tailscale SSH: Tailscale can manage SSH access without a running
sshd, using Tailscale identity for authentication. Enable withtailscale up --ssh. SSH keys andauthorized_keysare not involved — access is governed by ACLs in the admin console. This is additive: existingsshdcontinues to work. -
CGNAT range conflict: Tailscale uses
100.64.0.0/10. This range is also used by some ISPs for carrier-grade NAT and may conflict with other VPNs (e.g., WireGuard tunnels, OpenVPN). If there is a conflict, check the Tailscale docs for custom address range options (available on paid plans). -
Funnel:
tailscale funnel 443exposes a local port on the public internet via Tailscale's infrastructure, reachable athttps://<device>.<tailnet>.ts.net. For development and testing only — not intended for production traffic. Must be enabled per-device in the admin console. -
tailscale uprewrites flags: Runningtailscale upwith a subset of flags resets unspecified flags to defaults. Always pass all desired flags together, or usetailscale setfor individual flag changes without resetting others.
References
See references/ for:
configuration.md—tailscale upflags, daemon config, ACL structure, and setup patternsdocs.md— official documentation links