Tailscale Network Management

Quick Start

Install (Linux)

curl -fsSL https://tailscale.com/install.sh | sh

Install (macOS)

brew install tailscale

Connect and authenticate

sudo tailscale up

Check status

tailscale status

Get your Tailscale IP

tailscale ip -4

Common Operations

Connection Management

tailscale up # Connect tailscale down # Disconnect (daemon stays running) tailscale status # View peers tailscale status --json | jq # Detailed network map tailscale ping machine-name # Test connectivity (ignores ACLs) tailscale ping --icmp machine-name # Test with ACLs tailscale set --exit-node=name # Use exit node tailscale set --exit-node= # Stop using exit node

Use tailscale set to change settings without reconnecting. Use tailscale up for initial setup.

Subnet Router Setup

Run scripts/setup_subnet_router.sh <subnet_cidr> [auth_key] for automated setup.

Manual steps:

• Enable IP forwarding on the router device

• sudo tailscale up --advertise-routes=192.168.1.0/24

• Approve routes in admin console (Machines > device > Edit route settings)

• Linux clients: sudo tailscale up --accept-routes

Exit Node Setup

Run scripts/setup_exit_node.sh [auth_key] for automated setup.

Manual steps:

• Enable IP forwarding on the exit node

• sudo tailscale up --advertise-exit-node

• Approve in admin console (Machines > device > Edit route settings > Use as exit node)

• Clients: tailscale set --exit-node=node-name --exit-node-allow-lan-access

Tailscale SSH

Enable on server

sudo tailscale set --ssh

Connect from client (no special setup needed)

ssh machine-name

Requires both network access grant and SSH ACL rule. See acl-examples.md for SSH ACL patterns.

Serve and Funnel

Serve locally to tailnet

tailscale serve 3000

Expose to public internet (ports 443, 8443, or 10000 only)

tailscale funnel 3000

TCP forwarding with TLS termination

tailscale serve --tls-terminated-tcp=5432 localhost:5432

Check status / turn off

tailscale serve status tailscale serve off

Access Control

Use Grants (modern, recommended) over ACLs (legacy). Both work, but Grants support application-layer capabilities.

{ "groups": { "group:engineering": ["alice@example.com"] }, "tagOwners": { "tag:server": ["group:engineering"] }, "grants": [ { "src": ["group:engineering"], "dst": ["tag:server"], "ip": ["22", "443"] } ] }

Key patterns: Use groups for people, tags for machines. Always include both network grants and SSH rules for SSH access.

For detailed ACL scenarios, SSH access patterns, posture checks, auto-approvers, GitOps integration, and common mistakes, see acl-examples.md.

Reference Files

• cli-reference.md - Complete CLI command reference with all flags, target formats, and platform-specific notes

• acl-examples.md - Detailed ACL/grants configuration: team-based access, dev/staging/prod isolation, SSH patterns, posture checks, auto-approvers, GitOps, migration from ACLs to Grants

• api-usage.md - REST API, Terraform provider, Python SDK, webhooks, automation examples

• troubleshooting.md - Connectivity diagnostics, subnet router issues, exit node issues, SSH problems, MagicDNS, performance tuning, common error messages

• production-setup.md - Architecture patterns, HA setup, security hardening, IaC (Terraform/Ansible/K8s), monitoring, DR, operational procedures

Scripts

• scripts/setup_subnet_router.sh <subnet_cidr> [auth_key]

• Automated subnet router setup (installs Tailscale, enables IP forwarding, configures routes)

• scripts/setup_exit_node.sh [auth_key]

• Automated exit node setup (installs Tailscale, enables IP forwarding, advertises as exit node)