Tailscale ships with a built-in CLI that you can use to get information about your Tailscale+WireGuard® network and troubleshoot issues.
The location of the CLI varies depending on your platform:
On Linux, the CLI is your primary interface to Tailscale. The
binary is likely already in your $PATH, so commands can be run with:
On macOS, the CLI is bundled inside the Tailscale app. Run commands with:
If you frequently access the Tailscale CLI, you may find it convenient to add
an alias to your
.zshrc or shell config to make it easier.
On Windows, the CLI can be accessed by executing the .exe from the Command Prompt.
There is no CLI support for iOS and Android.
Up connects your device to Tailscale, and authenticates if needed.
tailscale up [flags]
tailscale up without any flags connects to Tailscale.
You can specify flags to configure Tailscale’s behavior. Flags are not persisted between runs; you must specify all flags each time.
To clear previously set flags like tags and routes, pass the flag with an empty argument:
# Connects with `tag:server` tailscale up --advertise-tags=tag:server # Connects and clears any tags tailscale up --advertise-tags=
In Tailscale v1.8 or later, if you forget to specify a flag you added before, the CLI will warn you and provide a copyable command that includes all existing flags.
--accept-dnsAccept DNS configuration from the admin console. Defaults to accepting DNS settings.
--accept-routesAccept subnet routes that other nodes advertise. Linux devices default to not accepting routes.
--advertise-exit-nodeOffer to be an exit node for outbound internet traffic from the Tailscale network. Defaults to not offering to be an exit node.
--advertise-routes=<ip>Expose physical subnet routes to your entire Tailscale network.
--advertise-tags=<tags>Give tagged permissions to this device. You must be listed in
"TagOwners"to be able to apply tags.
--authkey=<key>Provide an auth key to automatically authenticate the node as your user account.
--exit-node=<ip>Provide a Tailscale IP to use as an exit node. To disable the use of an exit node, pass the flag with an empty argument:
--exit-node-allow-lan-accessAllow direct access to the local network when routing traffic via an exit node. Defaults to not allowing direct access to your LAN.
--host-routesInstall all host routes in the tailnet on the local network, in addition to advertised routes. Defaults to including host routes.
--hostname=<name>Provide a hostname to use for the device instead of the one provided by the OS.
--netfilter-mode(Linux only) Advanced feature for controlling the degree of automatic firewall configuration. Values are either “off”, “nodivert”, or “on”. Defaults to “on”, except for Synology which defaults to “off”. Setting this flag to “off” disables all management of
netfilter. Setting to “nodivert” creates and manages Tailscale sub-chains, but leaves the calling of those chains up to the administrator. Setting to “on” means using full management of Tailscale’s rules. Note that if you set
--netfilter-modeto “off” or “nodivert”, it is your responsibility to configure the firewall securely for Tailscale traffic. We recommend using the rules installed by
--netfilter-mode=onas a starting point.
--operator=<user>Provide a Unix username other than
--qrGenerate a QR code for the web login URL. Defaults to not showing a QR node.
--resetReset unspecified settings to default values.
--shields-upBlock incoming connections from other devices on your Tailscale network. Useful for personal devices that only make outgoing connections.
--snat-subnet-routes(Linux only) Source NAT traffic to local routes that are advertised with
--advertise-routes. Defaults to sourcing the NAT traffic to the advertised routes. Set to false to disable subnet route masquerading.
--sshRun a Tailscale SSH server, permitting access per the tailnet admin’s declared access policy, or the default policy if none is defined. Defaults to false.
--timeout=<duration>Maximum amount of time to wait for the Tailscale service to initialize.
durationcan be any value parseable by
time.ParseDuration(). Defaults to
0s, which blocks forever.
--unattended(Windows only) Run in unattended mode where Tailscale keeps running even after the current user logs out.
down disconnects from Tailscale. This command is the same as the “Disconnect” option on the macOS and Windows GUI clients.
When disconnected, you cannot reach devices over Tailscale. To reconnect, re-run
tailscale up without any flags.
bugreportcommand is available in Tailscale v1.8 or later. If you don’t see this command, consider updating your Tailscale client.
Bugreport makes it easier to report bugs to the Tailscale team by marking diagnostic logs with indicators to make triage easier.
If you encounter a connectivity issue, run
tailscale bugreport on the device experiencing the issue at the time you encounter it. This command will print a random identifier into diagnostic logs, which you can share with our team.
Identifiers look like this:
$ tailscale bugreport BUG-1b7641a16971a9cd75822c0ed8043fee70ae88cf05c52981dc220eb96a5c49a8-20210427151443Z-fbcd4fd3a4b7ad94
This command shares no personally-identifiable information, and is unused unless you share the bug identifier with our team.
Generate certificate and key files on the host for HTTPS certificates in the network.
Access and make files available to Taildrop.
cpCopy files to a host
getMove files out of the Tailscale file inbox
ip returns a device’s Tailscale IP address.
tailscale ip [flags] [<hostname>]
By default, this command returns both an 100.x.y.z IPv4 address and an IPv6 address for the current device. You can return only an IPv4 or IPv6 address by passing either the
$ tailscale ip -4 100.121.112.23
You can also find the Tailscale IP for other devices on your network by adding the device hostname after the command. For example:
$ tailscale ip raspberrypi 100.126.153.111 fd7a:115c:a1e0:ab12:4843:cd96:627e:9975
-4Only return an IPv4 address
-6Only return an IPv6 address
-1Only return one address, preferring IPv4
Log out disconnects from Tailscale and expires the current log in. The next
time you run
tailscale up, you’ll need to reauthenticate your device.
Netcheck provides a report on your current physical network conditions. This command is provided to help debug connection troubles.
Netcheck will output a report like this:
Report: * UDP: true * IPv4: yes, <ip-address> * IPv6: no * MappingVariesByDestIP: false * HairPinning: false * PortMapping: false * Nearest DERP: 1 (nyc) * DERP latency: - 1, nyc = 43.6ms - 2, sfo = 67.4ms - 3, sin = 202.5ms - 4, fra = 91.9ms - 5, syd = 218.5ms
- UDP shows whether UDP traffic is enabled on the current network. If this is false, it’s unlikely Tailscale will be able to make point-to-point connections, and will instead rely on our encrypted TCP relays (DERP)
- IPv4 and IPv6 show your network public IP addresses and support for both protocols.
- MappingVariesByDestIP describes whether your device is behind a difficult NAT that varies the device’s IP address depending on the destination.
- HairPinning describes whether your router can route connections from endpoints on your LAN back to your LAN using those endpoints’ globally-mapped IPv4 addresses/ports.
- PortMapping describes a list of which three port-mapping services exist on your router. Possible values are “UPnP”, “NAT-PMP”, and “PCP”.
- DERP latency and Nearest DERP describe latency from our encrypted TCP relays (DERP). The lowest latency (“nearest”) server is used for traffic.
If any fields are blank, it means Tailscale wasn’t able to measure that network property.
All the information from
tailscale netcheck is also available in the
admin console, by clicking on a particular machine.
Prints the version of Tailscale.
Ping tries to ping another device exclusively over Tailscale.
ping command often works fine over Tailscale, but
tailscale ping provides more details about the connection over Tailscale that can be helpful when troubleshooting connectivity.
tailscale ping <hostname-or-ip>
--cMaximum number of pings to send. Defaults to 10.
--icmp=falsePerform an ICMP-level ping (through WireGuard, but not the local host OS stack). Defaults to false.
--peerapi=falseTry hitting the peer’s PeerAPI HTTP server. Defaults to false.
--tsmp=falsePerform a TSMP-level ping (through WireGuard, but not either host’s OS stack). Defaults to false.
--timeout=<duration>Maximum amount of time to wait before giving up on a ping.
durationcan be any value parseable by
time.ParseDuration(). Defaults to
--until-direct=falseStop once a direct path is established. Defaults to true.
--verbose=falseShow verbose output. Defaults to false.
Status shows the status of your connections to other Tailscale devices.
This command returns a table of information like so:
1 2 3 4 5 184.108.40.206 device-a apenwarr@ linux active; direct <ip-port>, tx 1116 rx 1124 220.127.116.11 device-b crawshaw@ macOS active; relay <relay-server>, tx 1351 rx 4262 18.104.22.168 device-c danderson@ windows idle; tx 1214 rx 50 22.214.171.124 device-d ross@ iOS —
From left-to-right, these columns represent:
- Column 1 is a Tailscale IP, which you can use to connect to the device.
- Column 2 is the machine name of the device. If you use MagicDNS, you can also use this name to connect.
- Column 3 is the email address for the owner of the device.
- Column 4 is the device OS.
- Column 5 shows the current connection status.
Connection status (column 5) is shown using three terms:
activemeans traffic is currently being sent/received from this device. You’ll also see either (a) “direct” for peer-to-peer connections, along with the IP address used to connect or (b) “relay” for connections using a relay server along with a city code (nyc, fra, tok, syd) for the respective location.
idlemeans traffic is not currently being sent/received from this device.
–means no traffic has ever been sent/received from this device.
idle connection statuses will also include tx/rx values indicating
the number of bytes sent (tx) and received (rx) from this device.
You can filter this list down to only active connections by running
tailscale status --active.
tailscale status with the
--json flag will return a machine-readable
tailscale status --json
Combine this with
jq to automate data
collection about your network. For example, the following command will count and
sort which relay servers your Tailscale peers are connected to.
tailscale status --json | jq -r '.Peer.Relay | select(.!="")' | sort | uniq -c | sort -nr
Spins up a webserver for controlling the
tailscaled daemon, where the CLI or a native app is not practical, e.g., on NAS devices.