Tailscale Funnel
Tailscale Funnel is a feature that allows you to route traffic from the wider internet to one or more of your Tailscale nodes. You can think of this as publicly sharing a node for anyone to access, even if they don’t have Tailscale themselves.
How it works
When you turn Tailscale Funnel on, we set up public DNS records for your node-name.tailnet-name.ts.net
to point to Funnel servers that we run. When someone accesses that URL, our Funnel servers accepts the incoming request and sends a TCP proxy over Tailscale to your node. Your Tailscale node then terminates the TLS, which means that our Funnel ingress nodes don’t see any information about this traffic or what’s being served. We can only see the source IP and port, the SNI name, and the number of bytes passing through.
We run a series of Funnel servers around the world that handles incoming internet traffic. These servers will show up in your node’s list of Tailscale peers, which are visible in the CLI with tailscale funnel status
. These nodes don’t have access to connect to your nodes directly. The only thing they’re allowed to do is offer a TCP connection, which your nodes can accept or reject.
Setup
Tailscale Funnel is off by default and double opt-in. To enable Tailscale Funnel, you must:
- Ensure you have HTTPS certificates enabled for your tailnet in the admin console.
- Add a new
funnel
attribute undernodeAttrs
in your tailnet policy file. - Enable Funnel on a specific node with
tailscale funnel <port> on
.
To enable Tailscale Funnel, you need to edit your tailnet policy file to contain a funnel node attribute for the nodes you’d like to have access to Tailscale Funnel.
To add the default funnel node attribute, which allows Tailscale Funnel to the nodes managed by the
autogroup:members
group:
-
Open the Access controls page in the admin console.
-
Click the Add Funnel to policy button. Clicking this button adds the default
nodeAttrs
section and saves the tailnet policy file automatically. The defaultnodeAttrs
section looks like:"nodeAttrs": [ { "target": ["autogroup:members"], "attr": ["funnel"], }, ],
Alternatively, instead of using the autogroup:members
group, use a different group:
-
Open the Access controls page in the admin console.
-
In the Edit file tab, add a
nodeAttrs
section. If you don’t already have a group that you want to use, create the group. This example creates a group namedcan-funnel
and allows the group members to use funnel on their nodes:{ "Groups": { "group:can-funnel": [ "alice@example.com", "bob@example.com", ], ... }, "nodeAttrs": [ { "target": ["group:can-funnel"], "attr": ["funnel"], }, ], ... }
Start serving from your node: serve local files, directories or even static text. You can also proxy requests to a locally running service. As an example, proxy requests to a web server at 127.0.0.1:3000, with
$ tailscale serve https:443 / http://127.0.0.1:3000
Run
tailscale serve --help
to see more examples.
You also need to turn on Funnel to expose the tailscale serve
server publicly, open to the entire internet:
$ tailscale funnel 443 on
Once that’s done, you can view the status of what’s being served and see the URL used to access your server:
$ tailscale funnel status
https://node-name.tailnet-name.ts.net (Funnel on)
|-- / proxy http://127.0.0.1:3000
Limitations
- DNS names are restricted to that of your tailnet’s domain name.
- The ports you can specify to expose your servers via Funnel are currently 443, 8443 and 10000.
- Traffic over Funnel is subject to bandwidth limits. They are not currently configurable.
- There are currently known bugs when accessing public Funnel URLs between two users both using Tailscale on different tailnets on some platforms.
- Tailscale Funnel works best on Linux now during alpha. Other platforms are not as polished currently.
Troubleshooting
This section provides troubleshooting tips if you are having an issue when running Tailscale Funnel.
Invite code required
Tailscale Funnel is currently an invite-only feature and cannot be enabled without both receiving and accepting an invitation. Grab an invite from a friend, or request access by opening the General settings page of the admin console and click Join Tailscale Funnel waitlist.
HTTPS required
Tailscale Funnel requires that you enable HTTPS on your tailnet. Tailscale Funnel automatically provisions TLS certificates for your unique tailnet DNS name—this functionality requires you to enable HTTPS.
Node attribute required
Tailscale Funnel requires a node attribute (nodeAttrs
) of "funnel"
in your
tailnet policy file.
You need to be an Owner, Admin, or Network Admin of a tailnet in order to modify a tailnet policy file.
To add a default nodeAttrs
of "funnel"
, open the
Access controls page in the admin console and click
the Add Funnel to policy button. Clicking this button adds the default nodeAttrs
section
and saves the tailnet policy file automatically. For a different example of a nodeAttrs
section,
see Setup.