Tailscale Funnel

Tailscale Funnel is a feature that allows you to route traffic from the wider internet to one or more of your Tailscale nodes. You can think of this as publicly sharing a node for anyone to access, even if they don’t have Tailscale themselves.

Tailscale Funnel is currently in alpha. To try it, follow the steps below to enable it for your network using Tailscale v1.33.257 or later.

Tailscale Funnel is currently an invite only feature. To get access, you’ll need an invitation from a user on another tailnet that already has access to Tailscale Funnel.

How it works

When you turn Tailscale Funnel on, we set up public DNS records for your node-name.tailnet-name.ts.net to point to Funnel servers that we run. When someone accesses that URL, our Funnel servers accepts the incoming request and sends a TCP proxy over Tailscale to your node. Your Tailscale node then terminates the TLS, which means that our Funnel ingress nodes don’t see any information about this traffic or what’s being served. We can only see the source IP and port, the SNI name, and the number of bytes passing through.

We run a series of Funnel servers around the world that handles incoming internet traffic. These servers will show up in your node’s list of Tailscale peers, which are visible in the CLI with tailscale serve status. These nodes don’t have access to connect to your nodes directly. The only thing they’re allowed to do is offer a TCP connection, which your nodes can accept or reject.

Setup

Tailscale Funnel is off by default and double opt-in. To enable Tailscale Funnel, you must:

  • Ensure you have HTTPS certificates enabled for your tailnet in the admin console.
  • Add a new funnel attribute under nodeAttrs in your tailnet policy file.
  • Enable Funnel on a specific node with tailscale serve funnel on.

To enable Tailscale Funnel, edit your tailnet policy file, then add a funnel node attribute to the nodes you’d like to have access to Tailscale Funnel, like:

{
	"Groups": {
		"group:can-funnel": [
			"alice@example.com",
			"bob@example.com",
		],
		...
	},
	"nodeAttrs": [
		{
			"target": ["group:can-funnel"],
			"attr":   ["funnel"],
		},
	],
...
}

Start serving from your node: serve local files, directories or even static text. You can also proxy requests to a locally running service. As an example, proxy requests to a web server at 127.0.0.1:3000, with

$ tailscale serve / proxy 3000

Run tailscale serve --help to see more examples

You also need to turn on Funnel to expose the tailscale serve server publicly, open to the entire internet:

$ tailscale serve funnel on

Once that’s done, you can view the status of what’s being served and see the URL used to access your server:

$ tailscale serve status
https://node-name.tailnet-name.ts.net (Funnel on)
|-- / proxy http://127.0.0.1:3000

Limitations

  • DNS names are restricted to that of your tailnet’s domain name.
  • The ports you can specify to expose your servers on are currently to 443, 8443 and 10000.
  • Traffic over Funnel is subject to bandwidth limits. They are not currently configurable.
  • There are currently known bugs when accessing public Funnel URLs between two users both using Tailscale on different tailnets on some platforms.
  • Tailscale Funnel works best on Linux now during alpha. Other platforms are not as polished currently.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms