Tailscale Funnel

Tailscale Funnel is a feature that lets you route traffic from the wider internet to a local service running on a machine in your Tailscale network (known as a tailnet). You can think of this as publicly sharing a local service, like a web app, for anyone to access—even if they don’t have Tailscale themselves. This page provides information about how Funnel works behind the scenes and how to get started with it on your tailnet. For more specific Funnel use cases and examples, see Tailscale Funnel examples.

If you’d like to share local services only with other devices in your tailnet, use Tailscale Serve instead.

How it works

The following diagram demonstrates how a site is shared securely using Funnel.

1. The device accessing the Funnel URL contacts public DNS servers to resolve the URL to a server's IP address. The public DNS servers then respond with the IP address of a Funnel relay server. They do not resolve to your device’s IP address.

2. The device accessing the Funnel site sends a request to the Funnel relay server.

3. The Funnel relay server establishes a TCP proxy to your node over Tailscale. This proxy serves as an encrypted relay between the Funnel relay server and your node. We use a relay server to send Funnel traffic between public devices and your node to ensure your node's IP address isn't exposed to the internet. Importantly, the Funnel relay servers do not decrypt traffic moving between public devices and your nodes exposed through Funnel, so Tailscale cannot see any information about the content being served.

4. The Tailscale server on your node terminates the Transport Layer Security (TLS) and passes the request to the local service you've exposed through Funnel.

5. The local server responds to the Tailscale server running on your node.

6. The Tailscale server on your node encrypts the response and sends it back to the Funnel relay server over the TCP proxy.

7. Without decrypting the response, the Funnel relay server forwards the response to the user's device, which terminates the TLS and reads the response.

Setup

Tailscale Funnel is off by default and requires a double opt-in process to enable.

The Tailscale CLI command tailscale funnel provides an interactive web UI that will prompt you to allow Tailscale to enable Tailscale Funnel on your behalf. If you approve the request, the specific actions that will be taken are:

• Ensuring you have HTTPS certificates enabled for your tailnet in the admin console
• Ensuring a funnel attribute under nodeAttrs exists in your tailnet policy file, allowing your device to use Funnel

The CLI will prompt you as needed and display a URL for you to provide web consent. Visit this page to enable any unmet requirements.

Tailnet policy file requirement

Tailscale Funnel requires a node attribute (nodeAttrs) of "funnel" in your tailnet policy file, which determines who can use Funnel on your tailnet. The web UI flow prompts you to allow Tailscale to create this node attribute if it doesn't already exist.

The default funnel attribute allows Tailscale Funnel to the nodes managed by the autogroup:member group, so by default, you will see this in the tailnet policy file in the Admin console:

"nodeAttrs": [
	{
		"target": ["autogroup:member"],
		"attr":   ["funnel"],
	},
],

Alternatively, instead of using the autogroup:member group, you can use a different group:

{
	"Groups": {
		"group:can-funnel": [
		"alice@example.com",
		"bob@example.com",
		],
		...
	},
	"nodeAttrs": [
		{
			"target": ["group:can-funnel"],
			"attr":   ["funnel"],
		},
	],
...
}

Run Tailscale Funnel

Tailscale Funnel lets you serve local directories, files, plain text, or services. As an example, you can proxy requests to a web server running at http://127.0.0.1:3000 using the following command:

$ tailscale funnel 3000

Run tailscale funnel --help to see more examples.

The CLI will open a foreground session that displays the status of what’s being served to the internet and the URL you can use to access your service:

$ tailscale funnel 3000
Available on the internet:
https://amelie-workstation.pango-lin.ts.net

|-- / proxy http://127.0.0.1:3000

Press Ctrl+C to exit.

View Funnel relay servers

When you use Tailscale Funnel, our Funnel relay servers will show up in your node’s list of Tailscale peers. Peers are visible in the Tailscale CLI, using the command tailscale status --json.

Limitations

• DNS names are restricted to your tailnet’s domain name (node-name.tailnet-name.ts.net)
• Funnel is limited to listen on ports 443, 8443, and 10000
• Funnel only works over TLS-encrypted connections
• Traffic over Funnel is subject to bandwidth limits. These limits are not currently configurable.
• Due to macOS app sandbox limitations, serving files and directories is limited to the open source variant

Troubleshooting

This section provides troubleshooting tips if you are having an issue when running Tailscale Funnel.

Node attribute required

Tailscale Funnel requires a node attribute (nodeAttrs) of "funnel" in your tailnet policy file. If you use the interactive CLI flow as described in the Setup section, Tailscale will ensure this requirement is met.

As an alternative to the interactive CLI flow, you can manually add the node attribute for Funnel. You need to be an Owner, Admin, or Network admin of a tailnet to modify a tailnet policy file.

1. Open the Access controls page of the admin console.
2. Expand the Funnel section and click the Add Funnel to policy button.

This adds the default nodeAttrs section and saves the tailnet policy file automatically. For a different example of a nodeAttrs section, see Tailnet policy file requirement. Also note that after you click Add Funnel to policy, the button will no longer display because the policy is already added.

HTTPS required

Tailscale Funnel requires that you enable HTTPS on your tailnet in order to automatically provision TLS certificates for your unique tailnet DNS name. If you use the interactive CLI flow as described in the Setup section, Tailscale will enable HTTPS if it is not already enabled.