Sharing your nodes with other users

Sharing lets you give any Tailscale user on any Tailscale network (known as tailnet), access to a device without exposing the device publicly. This can be helpful for giving contractors private access to a secure server, or sharing a private Minecraft server with friends.

Sharing gives the recipient access to only the shared device in your tailnet, and nothing else. It respects the ACL and MagicDNS settings of both your tailnet and the recipient’s tailnet. Sharing strips ACL tags, groups, and subnet information from the recipient tailnet. A shared node is visible only to the individual recipient user—it is not visible to the recipient user’s entire tailnet.

Sharing is available for all plans.
We recommend using Tailscale 1.42 or later for new shares. Existing shares will continue to work.
Sharing is currently in beta. To try it, follow the steps below to enable it for your network using Tailscale v1.4 or later.

Instructions

You need to be an Owner, Admin, or IT admin of a tailnet in order to share a node.

Step 1: Open the Share dialog from the admin console

Open the Machines page of the admin console and find the machine you’d like to share. Click the ellipsis icon menu on the right side of the page select Share to open the Share dialog.

The 'Share this machine' button in the Tailscale admin console

From the Share dialog, you can create private invite links that grant access. You can choose to make a single-use invite link, or a multi-use invite link. A single-use invite link is a one-time use link. A multi-use invite link can be used up to 1,000 times. Unused links expire in 30 days, for both single-use and multi-use invite links.

To create a single-use invite link, click Generate & copy invite link. This will automatically copy it to your clipboard.

To create a multi-use invite link, enable Multi-use and then click Generate & copy multi-use invite link. Click Copy invite link to copy the link to your clipboard.

The Share machine-name dialog, showing the 'Generate & copy multi-use invite link' button

Share the copied invite link to your intended recipient.

Devices cannot be shared with a tag or with another tagged device. Devices must be shared with other users.

Treat the invite link the way you would a password, since it provides the ability to connect to a device within your tailnet.

Step 4: Wait for the recipient to accept

You need to be an Owner, Admin, or IT admin of a tailnet in order to accept a shared node.

The recipient can visit the invite link to review your invitation. Once they accept, you’ll see their profile picture and email address in the Share dialog.

You’ll also see an indicator in the machine list showing which machines have been shared to external users.

The Share machine-name dialog, with an accepted invite link, which shows the accepted user's email and avatar
Unused invite links expire after 30 days.

Step 5: Connect

Once accepted, recipients will see your shared device from their own Tailscale clients and admin console, as if it was on their own tailnet. For example, the macOS app will display it in the menu bar, and Linux apps will see it from tailscale status.

Shared devices are accessible from the same Tailscale IP as on the sharer’s tailnet. Sharers can provide Tailscale IP addresses in advance and trust that they will be the same on the share recipient’s tailnet.

Shared devices are quarantined by default. They can respond to incoming connections from the tailnet they’re shared to, but cannot initiate connections on their own.

As of Tailscale v1.4, shared devices will appear in the other tailnet as the sharer, not the owner of the device. If Ross shares his co-worker Dave’s device to another tailnet, it will appear to be owned by Ross in the new tailnet.

Optional: Revoking an invite/share

You can revoke a share or share invite from the Machines page of the admin console, Share option for the device. In the pop-up window, click on the ellipsis icon menu and select Revoke invite.

Revoke a machine from being shared

Once revoked, the recipient user can no longer access the shared device. To restore access, the sharer must create a new invite and the recipient must accept that new invite.

How sharing works

Sharing a device exposes that device to a user on another tailnet. Only that user is able to see and access your device. It is invisible to other users on that tailnet.

In this example, only the shared device from tailnet A and the share recipient's devices in tailnet B can talk across tailnet boundaries.

In this example, only the shared device from tailnet A and the share recipient’s devices in tailnet B can talk across tailnet boundaries.

When you accept an invite, Tailscale exposes the minimum set of information possible about your tailnet to that device. Accepting a invite exposes:

  • The email and avatar of the recipient (required to help confirm invites)
  • Physical device IPs of machines from your tailnet (required for connections)

Quarantine

Shared devices are quarantined by default. They can respond to incoming connections from the tailnet they’re shared to, but cannot initiate connections on their own. Quarantining helps sharing be “secure by default”, since you can accept shares with no risk of exposing your tailnet.

Sharing & MagicDNS

MagicDNS is a per-tailnet setting. If your tailnet has MagicDNS enabled, you will be able to access devices over MagicDNS regardless of the other tailnet’s settings.

Shared devices can be accessed using MagicDNS in Tailscale v1.4 or later. Shared devices can only be reached by using their fully qualified domain name, which looks like [hostname].[tailnet-name].ts.net. [hostname] is the machine name of a device, and [tailnet-name] is the tailnet name of a tailnet. For example, if your friend shares a device named minecraft-server on the yak-bebop tailnet to your tailnet, you can reach it at minecraft-server.yak-bebop.ts.net. It will not be reachable at minecraft-server for your tailnet.

Previously, you might have used a tailnet name ending in .beta.tailscale.net. If so, migrate to the new tailnet name that ends in .ts.net. The existing beta.tailscale.net name remains supported until at least November 1, 2023.

These restrictions are necessary to prevent MagicDNS names from changing unexpectedly, and to support future features on top of sharing.

Sharing & Access Control Lists (ACLs)

Sharing respects the ACLs of both tailnets. If either tailnet disallows connections to/from a device, no connections can be established. If you’re having trouble connecting to a shared device, review your tailnet policy file for rules that might be blocking access.

To write access rules that apply to a shared device, you can use the email address of the recipient. For example, if I invite alice@example.com to share my device at 100.74.78.2, I can give her access to a particular host.

"acls": [
  { "action": "accept", "src": ["group:admins"], "dst": ["*:*"] }
  { "action": "accept", "src": ["alice@example.com"], "dst": ["100.74.78.2:*"] }
]
Be careful of rules like "src": ["*"], which apply to everyone who has access to your tailnet, including invited users. Consider making a group that includes all your tailnet users instead of *.

You can also write access rules by using the special autogroup:shared group. This group automatically includes all users invited to your tailnet, and lets you write rules without knowing email addresses in advance.

For example, to restrict invited users to only access webserver ports 80 and 443, you can write a rule like so:

"acls": [
  // Admins can access everything on the tailnet.
  { "action": "accept", "src": ["group:admins"], "dst": ["*:*"] },
  // Shared users can only access port 80 and 443 of devices they are invited to.
  { "action": "accept", "src": ["autogroup:shared"], "dst": ["*:80,443"] },
]

Remember: invited users are only able to access devices you’ve invited them to share. Access rules further limit what they can access. Although the rule *:80,443 seems like it allows access to all devices, it only further restricts their access to the ports we’ve specified.

Sharing does not expose ACL tags to the other tailnet. All tag information is stripped and cannot be used in the tailnet policy file of the other tailnet.

Sharing & Subnets (subnet routers)

Shared nodes do not advertise subnets to the tailnets they’re shared into, while inviting external users into your tailnet will give them access to subnet routers.

Sharing & Exit Nodes

Sharing an exit node exposes it to the other tailnet.

To share an exit node, use the following sequence:

  1. Advertise the device as an exit node.

  2. If you are not using autoApprovers, allow the exit node from the admin console.

  3. Share the node per the instructions above, allowing the recipient to use it as an exit node. Ensure the Let the recipient use this machine as an exit node option is checked.

To remove shared access to an exit node:

  1. Revoke the share.

If you want to share the node again, share it per the instructions above and ensure the Let the recipient use this machine as an exit node option is unchecked.

Sharing & suspended or deleted users

If a user is deleted, the shared nodes they manage will be deleted. If a user is suspended, the shared nodes they manage will not be able to connect to other devices.

If a user shared nodes they do not manage, those will still be shared even if the user is deleted.

Sharing & rewards

Every time you share a node with a unique user and they accept the invitation, we’ll increase the device limit on both your accounts by two. This is valid for every unique domain that accepts a node shared by you. The rewards are applied automatically when the invitation is accepted, and will be reflected in your device limits on the Billing page of the admin console

The Billing page in the Tailscale admin console

Thank you for sharing!

Troubleshooting

I can see a device that was shared with me, but I can’t connect to it.

  • If you’re trying to access the device by machine name (and not 100.x.y.z address), ensure you have MagicDNS enabled. MagicDNS must be manually enabled from the DNS page.
  • Review your tailnet’s ACLs to see if you have any rules that might disallow access. If you don’t, it’s possible the tailnet that shared it with you is restricting the traffic. Ask them to review their ACLs too.