Troubleshooting guide

This article contains various suggestions and tips to help troubleshoot setup and connectivity issues. Please email suggestions to

I can’t send/receive pings from Windows or macOS.

Windows generally has aggressive firewall rules set up, even for ICMP (ping) traffic (both incoming and outgoing). Be sure that you’ve enabled your Windows machines to be able to both send and receive ICMP traffic.

A faster, but riskier approach to test this is to (temporarily) disable the Windows firewalls to see if it makes any impact.

Similarly, macOS’ “stealth mode” will prevent macOS from responding to pings. This can be enabled/disabled in your Mac’s Security & Privacy settings.

Please refer to this issue for updates on improving related notifications and user experience.

My macOS client gets stuck at Loading backend...

Do you have a virus scanner (or other form of endpoint security) such as ESET installed? In some cases we’ve found that security measures interfere with Tailscale’s operation.

My firewall blocks everything by default. Which ports do I need to open?

In general, you want to:

  • Let your internal devices initiate TCP connections to *:443
  • Let your internal devices initiate UDP from :41641 to *:*

Tailscale won’t automatically update on macOS

Unfortunately, the App Store can’t automatically update the Tailscale macOS app while it’s running. You need to explicitly quit Tailscale before updating. This is a known issue that we’re working on.

Two of my macOS devices have the same 100.x IP address

This can occur if you use a backup of one machine to create another (i.e. the Tailscale configuration files are duplicated.)

To completely reset Tailscale on your Mac:

  1. Quit Tailscale.
  2. Open the Keychain Access app. Search for tailscale.
  3. Delete the entries for tailscale-logdata and tailscale-preferences.
  4. Restart Tailscale.

I have managed to set up Tailscale on my Mac and iPhone. How do I access my Mac’s files from my iPhone?

  1. Open the Files app on your iPhone.
  2. Go to the Browse tab.
  3. Tap the ... in the top right.
  4. Tap Connect to Server and enter your Mac’s Tailscale IP address.

At this point, any folders shared by your Mac (via SMB) are browseable.

How do I know if my traffic is being routed through DERP?

Use the Tailscale CLI to run the tailscale status command. Any address or region code surrounded by *asterisks* is actively being used. If you see a relay code surrounded by asterisks (e.g. *nyc*), then your traffic is being routed through that relay. If no relay codes have asterisks, then your traffic is not being routed through any relay.

The CLI is only supported on macOS, Windows, and Linux.

Can I route all of my traffic through a default route?

This is a common feature request. Please see this issue on Github to track its status.

If you want to force your traffic through a particular IP (to handle an IP blocklist — a.k.a. an IP whitelist) then see the article on connecting to external services with IP blocklists via Tailscale.

Why do I get an error about IP forwarding when using advertise-routes?

Tailscale’s subnet feature requires IP forwarding to be enabled. If it is not enabled, you may see an error when using --advertise-routes.

You can enable IP forwarding on your Linux device by editing /etc/sysctl.conf:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

Note, you only need to enable IP forwarding on the machine where --advertise-routes is called.

How can I see the IP routes Tailscale installs?

As of v0.99 Tailscale routes moved into a separate routing table (to prevent routing loops in subnet routing), which the legacy netstat tool doesn’t display.

To see routes installed by Tailscale use ip route instead

ip route show table 52

How can I disable subnet route masquerading?

You can disable subnet route masquerading with

tailscale up --snat-subnet-routes=false

How do I deploy Tailscale to a large fleet of devices?

You’ll want to use Tailscale’s pre-authenticated keys feature, which let you authenticate devices by key rather than in-browser.

As an admin, you can create keys in the admin panel once you’re logged in.

Last updated