Sharing your nodes with other users

Sharing lets you give another Tailscale user access to a private device within your network, without exposing it publicly. This can be helpful for giving contractors private access to a secure server, or sharing a private Minecraft server with friends.

Sharing gives the recipient user network access to only the shared device, and nothing else. It respects the ACL and MagicDNS settings of both your network and the recipient user’s network. Sharing strips ACL tags, groups, and subnet information from the recipient network. A shared node is visible only to the individual recipient user—it is not visible to the recipient user’s entire tailnet.

Sharing is included in every plan, including our free Personal plan.

Sharing is currently in beta. To try it, follow the steps below to enable it for your network using Tailscale v1.4 or later.

Instructions

You need to be an Owner, Admin, or IT Admin of a tailnet in order to share a node.

Step 1: Open the sharing panel from the admin console

Open the machines page of the admin console and find the machine you’d like to share. Press the ellipsis icon on the right side of the page and then Share this machine to open the sharing panel.

The 'Share this machine' button in the Tailscale admin console

From the sharing panel, you can create private invite links that grant access. Links are one-time use and never expire.

Create an invite link by clicking Generate & copy invite link. This will automatically copy it to your clipboard.

The sharing panel, showing the 'Generate & copy invite link' button

Share the copied invite link to your intended recipient.

Devices cannot be shared with a tag or with another tagged device. Devices must be shared with other users.

Treat the invite link the way you would a password, since it provides the ability to connect to a device within your private network.

Step 4: Wait for the recipient to accept

You need to be an Owner, Admin, or IT Admin of a tailnet in order to accept a shared node.

The recipient can visit the invite link to review your invitation. Once they accept, you’ll see their profile picture and email address in the share panel.

You’ll also see an indicator in the machine list showing which machines have been shared to external users.

The sharing panel, with an accepted invite link, which shows the accepted user's email and avatar
Unused invite links expire after 30 days.

Step 5: Connect

Once accepted, recipients will see your shared device from their own Tailscale clients and admin console, as if it was on their own network. For example, the macOS app will display it in the menu bar, and Linux apps will see it from tailscale status.

Shared devices are accessible from the same Tailscale IP as on the sharer’s network. Sharers can provide Tailscale IP addresses in advance and trust that they will be the same on the share recipient’s network.

Shared devices are quarantined by default. They can respond to incoming connections from the network they’re shared to, but cannot initiate connections on their own.

As of Tailscale v1.4, shared devices will appear in the other network as the sharer, not the owner of the device. If Ross shares his coworker Dave’s device to another network, it will appear to be owned by Ross in the new network.

Optional: Revoking an invite/share

Either network can revoke an invite or share from their admin console at any point in time. Sharers can revoke access from the Sharing settings panel. Share recipients can revoke access by going to the external machines page and removing the device.

Once revoked, the recipient user can no longer access the shared device. To restore access, the sharer must create a new invite and the recipient must accept that new invite.

How sharing works

Sharing a device exposes that device to a user on another network. Only that user is able to see and access your device. It is invisible to other users on that network.

In this example, only the shared device from network A and the share recipient's devices in network B can talk across network boundaries.

In this example, only the shared device from network A and the share recipient’s devices in network B can talk across network boundaries.

When you accept an invite, Tailscale exposes the minimum set of information possible about your network to that device. Accepting a invite exposes:

  • The email and avatar of the recipient (required to help confirm invites)
  • Physical device IPs of machines from your network (required for connections)

We will introduce new features to the Tailscale client that further limit the device IPs exposed. Be sure to keep your client software up-to-date to receive the latest privacy and security updates.

Quarantine

Shared devices are quarantined by default. They can respond to incoming connections from the network they’re shared to, but cannot initiate connections on their own. Quarantining helps sharing be “secure by default”, since you can accept shares with no risk of exposing your network.

In the future we will provide an option to disable quarantining for full bidirectional communication.

Sharing & MagicDNS

MagicDNS is a per-network setting. If your network has MagicDNS enabled, you will be able to access devices over MagicDNS regardless of the other network’s settings.

Shared devices can be accessed using MagicDNS in Tailscale v1.4 or later. Shared devices can only be reached by using their full MagicDNS name, which looks like [hostname].[user-domain].beta.tailscale.net. If your friend user@example.com shares a device named minecraft-server to your network, you can reach it at minecraft-server.example.com.beta.tailscale.net. It will not be reachable at minecraft-server for your network.

These restrictions are necessary to prevent MagicDNS names from changing unexpectedly, and to support future features on top of sharing.

However, full MagicDNS names are cumbersome to type. Until we provide a more comprehensive solution, you can opt-in to using shortnames for shared devices by adding the MagicDNS name suffix to your network’s search domains. In the above example, if you add example.com.beta.tailscale.net to your search domains, any devices shared to you from the example.com network will be reachable by their hostname, such as minecraft-server. If two names intersect, the name from your own network will win.

Sharing & Access Control Lists (ACLs)

Sharing respects the ACLs of both networks. If either network disallows connections to/from a device, no connections can be established. If you’re having trouble connecting to a shared device, review your tailnet policy file for rules that might be blocking access.

To write ACL rules that apply to a shared device, you can use the email address of the recipient. For example, if I invite shreya@example.com to share my device at 100.74.78.2, I can give her access to a particular host.

"acls": [
  { "action": "accept", "src": ["group:admins"], "dst": ["*:*"] }
  { "action": "accept", "src": ["shreya@example.com"], "dst": ["100.74.78.2:*"] }
]
Be careful of rules like "src": ["*"], which apply to everyone who has access to your network, including invited users. Consider making a group that includes all your internal network users instead of *.

You can also write ACL rules by using the special autogroup:shared group. This group automatically includes all users invited to your network, and lets you write rules without knowing email addresses in advance.

For example, to restrict invited users to only access webserver ports 80 and 443, you can write a rule like so:

"acls": [
  // Admins can access everything on the network.
  { "action": "accept", "src": ["group:admins"], "dst": ["*:*"] },
  // Shared users can only access port 80 and 443 of devices they are invited to.
  { "action": "accept", "src": ["autogroup:shared"], "dst": ["*:80,443"] },
]

Remember: invited users are only able to access devices you’ve invited them to share. ACL rules further limit what they can access. Although the rule *:80,443 seems like it allows access to all devices, it only further restricts their access to the ports we’ve specified.

Sharing does not expose ACL tags to the other network. All tag information is stripped and cannot be used in the tailnet policy file of the other network.

Sharing & Subnets (subnet routers)

Sharing does not expose subnet relayed traffic to the other network. We may introduce support for sharing subnets at a later time, via an opt-in process.

Sharing & Exit Nodes

Sharing an exit node exposes it to the other network.

To share an exit node, use the following sequence:

  1. Advertise the device as an exit node.

  2. If you are not using autoApprovers, allow the exit node from the admin console.

  3. Share the node per the instructions above, allowing the recipient to use it as an exit node. Ensure the Let the recipient use this machine as an exit node option is checked.

To remove shared access to an exit node:

  1. Revoke the share.

If you want to share the node again, share it per the instructions above and ensure the Let the recipient use this machine as an exit node option is unchecked.

Sharing & suspended or deleted users

If a user is deleted, the shared nodes they manage will be deleted. If a user is suspended, the shared nodes they manage will not be able to connect to other devices.

If a user shared nodes they do not manage, those will still be shared even if the user is deleted.

Sharing & rewards

Every time you share a node with a unique user and they accept the invitation, we’ll increase the device limit on both your accounts by two. This is valid for every unique domain that accepts a node shared by you. The rewards are applied automatically when the invitation is accepted, and will be reflected in your device limits on the Billing page of the admin console

The Billing page in the Tailscale admin console

Thank you for sharing!

Troubleshooting

I can see a device that was shared with me, but I can’t connect to it.

  • If you’re trying to access the device by machine name (and not 100.x.y.z address), ensure you have MagicDNS enabled. MagicDNS must be manually enabled from the DNS page.
  • Review your network’s ACLs to see if you have any rules that might disallow access. If you don’t, it’s possible the network that shared it with you is restricting the traffic. Ask them to review their ACLs too.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms