Docs / Admin

Sharing your nodes with other users

Sharing lets you give another Tailscale user access to a private device within your network, without exposing it publicly. This can be helpful for giving contractors private access to a secure server, or sharing a private Minecraft server with friends.

Sharing gives the recipient Tailscale network access to only the shared device, and nothing else. It respects the ACL and MagicDNS settings of both networks, and strips ACL tags, groups, and subnet information from the recipient network.

Sharing is included in every plan, including our free Personal plan.

Sharing is currently a public beta feature. We’d love to hear any feedback you have about how we can make sharing better.

Instructions

Step 1: Open the sharing panel from the admin panel

Open the machines page of the admin panel and find the machine you’d like to share. Press the ellipsis icon on the right side of the page and then “Share this machineā€¦” to open the sharing panel.

The 'Share this machineā€¦' button in the Tailscale admin panel

From the sharing panel, you can create private invite links that grant access. Links are one-time use and never expire.

Create an invite link by adding a label and then pressing “Create link.” The label can be anything you want; it is not shown to anyone else. It is there for you to keep things organized if you’re inviting several users.

Once you’ve created a link, copy it to your clipboard.

The sharing panel, showing a newly created link and the 'Copy link' button

Share the copied invite link to your intended recipient. You must be a member of the beta to create invites, but any Tailscale network admin can accept and reach shared devices.

Treat the invite link the way you would password, since it provides the ability to connect to a device within your private network.

Step 4: Wait for the recipient to accept

The recipient can visit the invite link to review your invitation. Once they accept, you’ll see their profile picture and email address in the share panel.

You’ll also see an indicator in the machine list showing which machines have been shared to external users.

The sharing panel, with an accepted invite link, which shows the accepted user's email and avatar

Step 5: Connect

Once accepted, recipients will see your shared device from their own Tailscale clients and admin panel, as if it was on their own network. For example, the macOS app will display it in the menu bar, and Linux apps will see it from tailscale status.

Shared devices are accessible from the same Tailscale IP as on the sharer’s network. Sharers can provide Tailscale IP addresses in advance and trust that they will be the same on the share recipient’s network.

Shared devices are quarantined by default. They can respond to incoming connections from the network they’re shared to, but cannot initiate connections on their own.

As of Tailscale v1.4, shared devices will appear in the other network as the sharer, not the owner of the device. If Ross shares his coworker Dave’s device to another network, it will appear to be owned by Ross in the new network.

Optional: Revoking an invite/share

Either network can revoke an invite or share from their admin panel at any point in time. Sharers can revoke access from the “sharing settings” panel. Share recipients can revoke access by going to the external machines page and removing the device.

Once revoked, the recipient network can no longer access the shared device. To restore access, the sharer must create a new invite and the recipient must accept that new invite.

How sharing works

Sharing a device exposes that device to a user on another network. Only that user is able to see and access your device. It is invisible to other users on that network.

In this example, only the shared device from network A and the share recipient's devices in network B can talk across network boundaries.

In this example, only the shared device from network A and the share recipient’s devices in network B can talk across network boundaries.

When you accept an invite, Tailscale exposes the minimum set of information possible about your network to that device. Accepting a invite exposes:

  • The email and avatar of the recipient (required to help confirm invites)
  • Physical device IPs of machines from your network (required for connections)

We will introduce new features to the Tailscale client that further limit the device IPs exposed. Be sure to keep your client software up-to-date to receive the latest privacy and security updates.

Quarantine

Shared devices are quarantined by default. They can respond to incoming connections from the network they’re shared to, but cannot initiate connections on their own. Quarantining helps sharing be “secure by default,” since you can accept shares with no risk of exposing your network.

In the future we will provide an option to disable quarantining for full bidirectional communication.

Sharing & MagicDNS

MagicDNS is a per-network setting. If your network has MagicDNS enabled, you will be able to access devices over MagicDNS regardless of the other network’s settings.

Shared devices can be accessed using MagicDNS on the upcoming Tailscale v1.4 release and newer. Shared devices can only be reached by using their full MagicDNS name, which looks like [hostname].[user-domain].beta.tailscale.net. If your friend [email protected] shares a device named minecraft-server to your network, you can reach it at minecraft-server.example.com.beta.tailscale.net. It will not be reachable at minecraft-server for your network.

These restrictions are necessary to prevent MagicDNS names from changing unexpectedly, and to support future features on top of sharing.

However, full MagicDNS names are cumbersome to type. Until we provide a more comprehensive solution, you can opt-in to using shortnames for shared devices by adding the MagicDNS name suffix to your network’s search domains. In the above example, if you add example.com.beta.tailscale.net to your search domains, any devices shared to you from the example.com network will be reachable by their hostname, such as minecraft-server. If two names intersect, the name from your own network will win.

Sharing & Access Control Lists (ACLs)

Sharing respects the ACLs of both networks. If either network disallows connections to/from a device, no connections can be established. If you’re having trouble connecting to a shared device, review your ACL file for rules that might be blocking access.

To write ACL rules that apply to a shared device, you can use the email address of the recipient. For example, if I invite [email protected] to share my device at 100.74.78.2, I can give her access to a particular host.

"ACLs": [
  { "Action": "accept", "Users": ["group:admins"], "Ports": ["*:*"] }
  { "Action": "accept", "Users": ["[email protected]"], "Ports": ["100.74.78.2:*"] }
]
Be careful of rules like "Users": ["*"], which apply to everyone who has access to your network, including invited users. Consider making a group that includes all your internal network users instead of *.

You can also write ACL rules by using the special autogroup:shared group. This group automatically includes all users invited to your network, and lets you write rules without knowing email addresses in advance.

For example, to restrict invited users to only access webserver ports 80 and 443, you can write a rule like so:

"ACLs": [
  // Admins can access everything on the network.
  { "Action": "accept", "Users": ["group:admins"], "Ports": ["*:*"] },
  // Shared users can only access port 80 and 443 of devices they are invited to.
  { "Action": "accept", "Users": ["autogroup:shared"], "Ports": ["*:80,443"] },
]

Remember: invited users are only able to access devices you’ve invited them to share. ACL rules further limit what they can access. Although the rule *:80,443 seems like it allows access to all devices, it only further restricts their access to the ports we’ve specified.

Sharing does not expose ACL tags to the other network. All tag information is stripped and cannot be used in the ACLs of the other network.

Sharing & Subnets (subnet routers)

Sharing does not expose subnet relayed traffic to the other network. We may introduce support for sharing subnets at a later time, via an opt-in process.

Sharing & Exit Nodes

Like subnets, sharing does not expose exit nodes to the other network. We may introduce support for sharing exit nodes at a later time, via an opt-in process.

Troubleshooting

I can see a device that was shared with me, but I can’t connect to it.

  • If you’re trying to access the device by machine name (and not 100.x.y.z address), ensure you have MagicDNS enabled. MagicDNS must be manually enabled from the DNS page.
  • Review your network’s ACLs to see if you have any rules that might disallow access. If you don’t, it’s possible the network that shared it with you is restricting the traffic. Ask them to review their ACLs too.

Last updated