Block incoming connections

Note

This feature is available on Windows, Mac, and Linux for Tailscale v0.98.197 and up. If you don’t see this option, you may need to update your client.

You may want to block devices on your Tailscale network from connecting to you. Let’s say you have a development computer and several webservers on Tailscale. You want to SSH from your computer into a webserver, but you don’t want to allow your webserver to SSH back to you.

To block incoming connections, open the device you’d like to protect and uncheck “Allow incoming connections.” When unchecked, your device will still be visible and allowed to send traffic, but won’t accept any connections over Tailscale, including pings.

This toggle is intended for individual users. For network admins who need to set rules for many devices, we recommend using our Access Control Lists (ACLs) feature. ACLs allow setting granular rules for your whole network in one place.

On macOS and Windows, you can block incoming connections via the menu bar. Instructions for more platforms are below.

Linux

By default Linux clients accept all incoming connections. To disable incoming connections, run tailscale up with the following flag:

sudo tailscale up --shields-up

Windows

From the system tray, right click on the Tailscale icon and check/uncheck “Allow incoming connections.”

Mac

From the menu bar, click on Tailscale and check/uncheck “Allow incoming connections.”

iOS

iOS doesn’t allow exposing external services, so there’s no need to block incoming traffic on iOS devices.

Last updated