Troubleshooting guide

This article contains various suggestions and tips to help troubleshoot setup and connectivity issues. Please email suggestions to

Why can’t I ping my own 100.x IP address on macOS or iOS?

This is a known issue. We’ve investigated it and are working on a solution. You should be able to ping your iOS and macOS devices from other devices.

I can’t send/receive pings from Windows or macOS.

Windows generally has aggressive firewall rules set up, even for ICMP (ping) traffic (both incoming and outgoing). Be sure that you’ve enabled your Windows machines to be able to both send and receive ICMP traffic.

A faster, but riskier approach to test this is to (temporarily) disable the Windows firewalls to see if it makes any impact.

Similarly, macOS’ “stealth mode” will prevent macOS from responding to pings. This can be enabled/disabled in your Mac’s Security & Privacy settings.

Please refer to this issue for updates on improving related notifications and user experience.

My macOS client gets stuck at Loading backend...

Do you have a virus scanner (or other form of endpoint security) such as ESET installed? In some cases we’ve found that security measures interfere with Tailscale’s operation.

My firewall blocks all everything by default. Which ports do I need to open?

In general, you want to:

  • Let your internal devices initiate TCP connections to *:443
  • Let your internal devices initiate UDP from :41641 to *:*

Tailscale won’t automatically update on macOS

Unfortunately, the App Store can’t automatically update the Tailscale macOS app while it’s running. You need to explicitly quit Tailscale before updating. This is a known issue that we’re working on.

Two of my macOS devices have the same 100.x IP address

This can occur if you use a backup of one machine to create another (i.e. the Tailscale configuration files are duplicated.)

To completely reset Tailscale on your Mac:

  1. Quit Tailscale.
  2. Open the Keychain Access app. Search for tailscale.
  3. Delete the entries for tailscale-logdata and tailscale-preferences.
  4. Restart Tailscale.

I have managed to set up Tailscale on my Mac and iPhone. How do I access my Mac’s files from my iPhone?

  1. Open the Files app on your iPhone.
  2. Go to the Browse tab.
  3. Tap the ... in the top right.
  4. Tap Connect to Server and enter your Mac’s Tailscale IP address.

At this point, any folders shared by your Mac (via SMB) are browseable.

How do I know if my traffic is being routed through DERP?

If you’re on Linux, you can try the tailscale status command. The remote address that’s surrounded by *stars* is the one being used. If no entries match, then your traffic is being routed through the relay.

This command is not (yet) supported on other platforms.

Can I route all of my traffic through a default route?

This is a common feature request. Please see this issue on Github to track its status.

If you want to force your traffic through a particular IP (to handle an IP blocklist — a.k.a. an IP whitelist) then see the article on connecting to external services with IP blocklists via Tailscale.

How can I see the IP routes Tailscale installs?

As of v0.99 Tailscale routes moved into a separate routing table (to prevent routing loops in subnet routing), which the legacy netstat tool doesn’t display.

To see routes installed by Tailscale use ip route instead

ip route show table 88

How can I disable subnet route masquerading?

You can disable subnet route masquerading with

tailscale up --snat-subnet-routes=false

How do I deploy Tailscale to a large fleet of devices?

You’ll want to use Tailscale’s pre-authenticated keys feature, which let you authenticate devices by key rather than in-browser.

As an admin, you can create keys in the admin panel once you’re logged in.

Last updated