Tailscale Funnel

Tailscale Funnel is a feature that allows you to route traffic from the wider internet to one or more of your Tailscale nodes. You can think of this as publicly sharing a node for anyone to access, even if they don’t have Tailscale themselves.

Tailscale Funnel is currently in alpha. To try it, follow the steps below to enable it for your network using Tailscale v1.34 or later.

This feature is currently an invite only feature. To request access, visit the General page in the admin console and click Join Tailscale Funnel waitlist.

How it works

When you turn Tailscale Funnel on, we set up public DNS records for your node-name.tailnet-name.ts.net to point to Funnel servers that we run. When someone accesses that URL, our Funnel servers accepts the incoming request and sends a TCP proxy over Tailscale to your node. Your Tailscale node then terminates the TLS, which means that our Funnel ingress nodes don’t see any information about this traffic or what’s being served. We can only see the source IP and port, the SNI name, and the number of bytes passing through.

We run a series of Funnel servers around the world that handles incoming internet traffic. These servers will show up in your node’s list of Tailscale peers, which are visible in the CLI with tailscale funnel status. These nodes don’t have access to connect to your nodes directly. The only thing they’re allowed to do is offer a TCP connection, which your nodes can accept or reject.

Setup

Tailscale Funnel is off by default and double opt-in. To enable Tailscale Funnel, you must:

Ensure you have HTTPS certificates enabled for your tailnet in the admin console.
Add a new funnel attribute under nodeAttrs in your tailnet policy file.
Enable Funnel on a specific node with tailscale funnel <port> on.

To enable Tailscale Funnel, you need to edit your tailnet policy file to contain a funnel node attribute for the nodes you’d like to have access to Tailscale Funnel.

To add the default funnel node attribute, which allows Tailscale Funnel to the nodes managed by the autogroup:members group:

Open the Access controls page in the admin console.
Click the Add Funnel to policy button. Clicking this button adds the default nodeAttrs section and saves the tailnet policy file automatically. The default nodeAttrs section looks like:
```
"nodeAttrs": [
    {
         "target": ["autogroup:members"],
         "attr":   ["funnel"],
     },
],
```

Alternatively, instead of using the autogroup:members group, use a different group:

Open the Access controls page in the admin console.

In the Edit file tab, add a nodeAttrs section. If you don’t already have a group that you want to use, create the group. This example creates a group named can-funnel and allows the group members to use funnel on their nodes:

{
    "Groups": {
         "group:can-funnel": [
         "alice@example.com",
         "bob@example.com",
         ],
         ...
     },
     "nodeAttrs": [
         {
             "target": ["group:can-funnel"],
             "attr":   ["funnel"],
         },
     ],
...
}

Start serving from your node: serve local files, directories or even static text. You can also proxy requests to a locally running service. As an example, proxy requests to a web server at 127.0.0.1:3000, with

$ tailscale serve https:443 / http://127.0.0.1:3000

Run tailscale serve --help to see more examples.

You also need to turn on Funnel to expose the tailscale serve server publicly, open to the entire internet:

$ tailscale funnel 443 on

It takes approximately 10 minutes for public DNS records to appear for your tailnet domain.

Once that’s done, you can view the status of what’s being served and see the URL used to access your server:

$ tailscale funnel status
https://node-name.tailnet-name.ts.net (Funnel on)
|-- / proxy http://127.0.0.1:3000

Limitations

DNS names are restricted to that of your tailnet’s domain name.
The ports you can specify to expose your servers via Funnel are currently 443, 8443 and 10000.
Traffic over Funnel is subject to bandwidth limits. They are not currently configurable.
There are currently known bugs when accessing public Funnel URLs between two users both using Tailscale on different tailnets on some platforms.
Tailscale Funnel works best on Linux now during alpha. Other platforms are not as polished currently.

Troubleshooting

This section provides troubleshooting tips if you are having an issue when running Tailscale Funnel.

Invite code required

Tailscale Funnel is currently an invite-only feature and cannot be enabled without both receiving and accepting an invitation. Grab an invite from a friend, or request access by opening the General settings page of the admin console and click Join Tailscale Funnel waitlist.

HTTPS required

Tailscale Funnel requires that you enable HTTPS on your tailnet. Tailscale Funnel automatically provisions TLS certificates for your unique tailnet DNS name—this functionality requires you to enable HTTPS.

Node attribute required

Tailscale Funnel requires a node attribute (nodeAttrs) of "funnel" in your tailnet policy file.

You need to be an Owner, Admin, or Network Admin of a tailnet in order to modify a tailnet policy file.

To add a default nodeAttrs of "funnel", open the Access controls page in the admin console and click the Add Funnel to policy button. Clicking this button adds the default nodeAttrs section and saves the tailnet policy file automatically. For a different example of a nodeAttrs section, see Setup.