Docs / FAQ

Troubleshooting guide

This article contains various suggestions and tips to help troubleshoot setup and connectivity issues. Email suggestions to [email protected].

I can’t send/receive pings from Windows or macOS

Windows generally has aggressive firewall rules set up, even for ICMP (ping) traffic (both incoming and outgoing). Be sure that you’ve enabled your Windows machines to be able to both send and receive ICMP traffic.

A faster, but riskier approach to test this is to (temporarily) disable the Windows firewalls to see if it makes any impact.

Similarly, macOS' “stealth mode” will prevent macOS from responding to pings. This can be enabled/disabled in your Mac’s Security & Privacy settings.

Refer to this issue for updates on improving related notifications and user experience.

My macOS client gets stuck at Loading backend...

Do you have a virus scanner (or other form of endpoint security) such as ESET installed? In some cases we’ve found that security measures interfere with Tailscale’s operation.

My firewall blocks everything by default. Which ports do I need to open?

Refer to this article.

Tailscale won’t automatically update on macOS

Unfortunately, the App Store can’t automatically update the Tailscale macOS app while it’s running. You need to explicitly quit Tailscale before updating. This is a known issue that we’re working on.

Two of my devices have the same 100.x IP address

This can occur if you use a backup of one machine to create another, or clone a filesystem from one machine to another. The Tailscale configuration files are duplicated. The Tailscale files will need to be removed from one of the two.

On one of the systems, uninstall and completely delete the Tailscale app. It is especially important to remove the files listed for your platform, the goal is to make a new Tailscale IP address when it is installed again.

Then, reinstall the app.

I have managed to set up Tailscale on my Mac and iPhone. How do I access my Mac’s files from my iPhone?

  1. Open the Files app on your iPhone.
  2. Go to the Browse tab.
  3. Tap the ... in the top right.
  4. Tap Connect to Server and enter your Mac’s Tailscale IP address.

At this point, any folders shared by your Mac (via SMB) are browseable.

How do I know if my traffic is being routed through DERP?

Use the Tailscale CLI to run the tailscale status command. Any address or region code surrounded by *asterisks* is actively being used. If you see a relay code surrounded by asterisks (e.g. *nyc*), then your traffic is being routed through that relay. If no relay codes have asterisks, then your traffic is not being routed through any relay.

The CLI is only supported on macOS, Windows, and Linux.

Can I route all of my traffic through a default route?

Yes! On Tailscale, you can define an exit node, which automatically configures default routes on your behalf.

If you want to force your traffic through a particular IP (to handle an IP blocklist — a.k.a. an IP allowlist) you can also route only a subset of your traffic using subnets. See the article on connecting to external services with IP blocklists via Tailscale for more details.

Why do I get an error about IP forwarding when using advertise-routes?

Tailscale’s routing features (subnet routers and exit nodes) require IP forwarding to be enabled. If it is not enabled, you may see an error when using --advertise-routes or --advertise-exit-node.

You can learn how to enable IP forwarding on your Linux device here.

How can I see the IP routes Tailscale installs?

As of v0.99 Tailscale routes moved into a separate routing table (to prevent routing loops in subnet routers), which the legacy netstat tool doesn’t display.

To see routes installed by Tailscale use ip route instead

ip route show table 52

How can I disable subnet route masquerading?

You can disable subnet route masquerading with

tailscale up --snat-subnet-routes=false

How do I deploy Tailscale to a large fleet of devices?

You’ll want to use Tailscale’s pre-authenticated keys feature, which let you authenticate devices by key rather than in-browser.

As an admin, you can create keys in the admin console once you’re logged in.

I set up –advertise-routes= for AWS access, and now Google doesn’t work

Only part of the range is private, the rest is public address space and Google has IP addresses in that range for some of its datacenters.

You can safely advertise the range instead:

tailscale up --advertise-routes=

I use the Tally ERP software package, which says “Unable to access the configured Tally Gateway Server” when Tailscale is active

Tally appears to bind to interfaces in a way which conflicts with VPN software like Tailscale. If the license server is running on the local PC, changing the Tally configuration via the UI or by editing Tally.ini to use “” as the license server instead of using the PC hostname allows it to work.

Last updated