Docs / Admin

Userspace networking mode (for containers)

Userspace Networking mode allows running Tailscale where you don’t have access to create a VPN tunnel device. This often happens in container environments.

Tailscale works on Linux systems using a device driver called /dev/net/tun, which allows us to instantiate the VPN tunnel as though it were any other network interface like Ethernet or Wi-Fi. This lets any Linux application — from a web browser to the ping CLI command — send its traffic through the Tailscale interface.

However, not all Linux systems support /dev/net/tun. For example, some container-based app platforms such as Heroku or Google Cloud Run do not. For those environments, userspace networking mode offers a different way of running, where tailscaled functions as a SOCKS5 or HTTP proxy which other processes in the container can connect through.

Userspace networking mode with SOCKS5 is available in Tailscale v1.8 or greater, and the HTTP proxy is available in Tailscale v1.16 or greater. Update your clients to use these features.


Which kind of proxy do you need?

A SOCKS5 proxy is a more general and flexible proxy that can work with any traffic.

An HTTP proxy is only for that protocol, so it only proxies HTTP and HTTPS traffic, e.g., to webpages.

Step 1: Start tailscaled/tailscale in userspace networking mode

You can enable userspace networking from the Tailscale CLI by passing the --tun=userspace-networking flag to tailscaled before calling tailscale up. To use a SOCKS5 proxy:

tailscaled --tun=userspace-networking --socks5-server=localhost:1055 &
tailscale up --authkey=<your auth key>

To use an HTTP proxy, use the flag --outbound-http-proxy-listen=localhost:1055 instead of --socks5-server.

Userspace networking mode is primarily designed for serverless environments. We recommend using it with ephemeral nodes / auth keys (as shown above).

Step 2: Configure your application to use SOCKS5 or HTTP

Once Tailscale is authenticated, your application can connect using a SOCKS5 or HTTP proxy. Many widely used networking packages support these proxies already, generally by setting an ALL_PROXY, HTTP_PROXY, or http_proxy environment variable. For many applications, you’ll need a command like this:

ALL_PROXY=socks5://localhost:1055/ ./my-app


HTTP_PROXY=http://localhost:8055/ ./my-app


http_proxy=http://localhost:8055/ ./my-app

Some widely-used programming libraries support ALL_PROXY, while others only support HTTP_PROXY or http_proxy. You may need to experiment to find the right setting for your app.

Done! Your application should now be able to communicate with Tailscale devices on your network.

For instructions on how to use Tailscale on specific serverless platforms, see the articles below:

We’d love to hear about the cool things you build. Mention @tailscale on Twitter or email us at [email protected].

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms