This article contains various suggestions and tips to help troubleshoot setup and connectivity issues. Please email suggestions to email@example.com.
- I can’t send/receive pings from Windows or macOS.
- My macOS client gets stuck at Loading backend…
- My firewall blocks everything by default. Which ports do I need to open?
- Tailscale won’t automatically update on macOS
- Two of my macOS devices have the same 100.x IP address
- I have managed to set up Tailscale on my Mac and iPhone. How do I access my Mac’s files from my iPhone?
- How do I know if my traffic is being routed through DERP?
- Can I route all of my traffic through a default route?
- Why do I get an error about IP forwarding when using advertise-routes?
- How can I see the IP routes Tailscale installs?
- How can I disable subnet route masquerading?
- How do I deploy Tailscale to a large fleet of devices?
I can’t send/receive pings from Windows or macOS.
Windows generally has aggressive firewall rules set up, even for ICMP (ping) traffic (both incoming and outgoing). Be sure that you’ve enabled your Windows machines to be able to both send and receive ICMP traffic.
A faster, but riskier approach to test this is to (temporarily) disable the Windows firewalls to see if it makes any impact.
Similarly, macOS’ “stealth mode” will prevent macOS from responding to pings. This can be enabled/disabled in your Mac’s Security & Privacy settings.
Please refer to this issue for updates on improving related notifications and user experience.
My macOS client gets stuck at
Do you have a virus scanner (or other form of endpoint security) such as ESET installed? In some cases we’ve found that security measures interfere with Tailscale’s operation.
My firewall blocks everything by default. Which ports do I need to open?
In general, you want to:
- Let your internal devices initiate TCP connections to
- Let your internal devices initiate UDP from
Tailscale won’t automatically update on macOS
Unfortunately, the App Store can’t automatically update the Tailscale macOS app while it’s running. You need to explicitly quit Tailscale before updating. This is a known issue that we’re working on.
Two of my macOS devices have the same 100.x IP address
This can occur if you use a backup of one machine to create another (i.e. the Tailscale configuration files are duplicated.)
To completely reset Tailscale on your Mac:
- Quit Tailscale.
- Open the
Keychain Accessapp. Search for
- Delete the entries for
- Restart Tailscale.
I have managed to set up Tailscale on my Mac and iPhone. How do I access my Mac’s files from my iPhone?
- Open the
Filesapp on your iPhone.
- Go to the
- Tap the
...in the top right.
Connect to Serverand enter your Mac’s Tailscale IP address.
At this point, any folders shared by your Mac (via SMB) are browseable.
How do I know if my traffic is being routed through DERP?
Use the Tailscale CLI to run the
tailscale status command. Any address or region code surrounded by *asterisks* is actively being used. If you see a relay code surrounded by asterisks (e.g. *nyc*), then your traffic is being routed through that relay. If no relay codes have asterisks, then your traffic is not being routed through any relay.
The CLI is only supported on macOS, Windows, and Linux.
Can I route all of my traffic through a default route?
This is a common feature request. Please see this issue on Github to track its status.
If you want to force your traffic through a particular IP (to handle an IP blocklist — a.k.a. an IP whitelist) then see the article on connecting to external services with IP blocklists via Tailscale.
Why do I get an error about IP forwarding when using advertise-routes?
Tailscale’s subnet feature requires IP forwarding to be enabled. If it is not enabled, you may see an error when using
You can enable IP forwarding on your Linux device by editing /etc/sysctl.conf:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p /etc/sysctl.conf
Note, you only need to enable IP forwarding on the machine where
--advertise-routes is called.
How can I see the IP routes Tailscale installs?
As of v0.99 Tailscale routes moved into a separate routing table (to prevent
routing loops in subnet routing), which the legacy
To see routes installed by Tailscale use
ip route instead
ip route show table 52
How can I disable subnet route masquerading?
You can disable subnet route masquerading with
tailscale up --snat-subnet-routes=false
How do I deploy Tailscale to a large fleet of devices?
You’ll want to use Tailscale’s pre-authenticated keys feature, which let you authenticate devices by key rather than in-browser.
As an admin, you can create keys in the admin panel once you’re logged in.