Docs / Admin

Block incoming connections

This feature is available on Windows, Mac, and Linux for Tailscale v0.98.197 and up. If you don’t see this option, you may need to update your client.

You may want to block devices on your Tailscale network from connecting to you. Let’s say you have a development computer and several webservers on Tailscale. You want to SSH from your computer into a webserver, but you don’t want to allow your webserver to SSH back to you.

To block incoming connections, open the device you’d like to protect and uncheck “Allow incoming connections." When unchecked, your device will still be visible and allowed to send traffic, but won’t accept any connections over Tailscale, including pings.

This toggle is intended for individual users. For network admins who need to set rules for many devices, we recommend using our Access Control Lists (ACLs) feature. ACLs allow setting granular rules for your whole network in one place.

On macOS and Windows, you can block incoming connections via the menu bar. Instructions for more platforms are below.

On macOS and Windows, you can block incoming connections via the menu bar. Instructions for more platforms are below.

Toggling Incoming Connections

macOS

From the menu bar, click on Tailscale and check/uncheck “Allow incoming connections.”

iOS

iOS does not support blocking incoming connections.

Android

Android does not support blocking incoming connections.

Windows

From the system tray, right click on the Tailscale icon and check/uncheck “Allow incoming connections.”

Linux

By default Linux clients accept all incoming connections. To disable incoming connections, run tailscale up with the following flag:

sudo tailscale up --shields-up

Last updated