Tailscale Funnel
Tailscale Funnel is a feature that allows you to route traffic from the wider internet to one or more of your Tailscale nodes. You can think of this as publicly sharing a node for anyone to access, even if they don’t have Tailscale themselves. This page provides information about how to set up Funnel on your own Tailscale network (known as a tailnet) and how it works; for more specific use cases, see Tailscale Funnel and serve
examples.
How it works
When you turn Tailscale Funnel on, we set up public DNS records for your node-name.tailnet-name.ts.net
to point to Funnel servers that we run. When someone accesses that URL, our Funnel servers accept the incoming request and send a TCP proxy over Tailscale to your node. Your Tailscale node then terminates the TLS, which means that our Funnel ingress nodes don’t see any information about this traffic or what’s being served. We can only see the source IP and port, the SNI name, and the number of bytes passing through.
We run a series of Funnel servers around the world that handles incoming internet traffic. These servers will show up in your node’s list of Tailscale peers, which are visible in the CLI with tailscale serve status --json
. These nodes don’t have access to connect to your nodes directly. The only thing they’re allowed to do is offer a TCP connection, which your nodes can accept or reject.
Setup
Tailscale Funnel is off by default and double opt-in.
The Tailscale CLI command tailscale funnel
provides an interactive web
UI that will prompt you to allow Tailscale to enable Tailscale Funnel on your behalf. The specific
actions that will be taken (if allowed by you) are:
- Ensuring you have HTTPS certificates enabled for your tailnet in the admin console.
- Ensuring a
funnel
attribute undernodeAttrs
that allows your device to use Funnel exists in your tailnet policy file.
The funnel
CLI will prompt you as needed and send you to a web consent page to enable any unmet requirements.

Tailnet policy file requirement
Tailscale Funnel requires a node attribute (nodeAttrs
) of "funnel"
in your
tailnet policy file, which determines who can use Funnel on your tailnet. The web UI
flow prompts you to allow Tailscale to create this node attribute, if it doesn’t already exist.
The default funnel
attribute allows Tailscale Funnel to the nodes managed by the
autogroup:member
group, so by default, you will see this in the web
UI:
"nodeAttrs": [
{
"target": ["autogroup:member"],
"attr": ["funnel"],
},
],
Alternatively, instead of using the autogroup:member
group, you can use a different group:
{
"Groups": {
"group:can-funnel": [
"alice@example.com",
"bob@example.com",
],
...
},
"nodeAttrs": [
{
"target": ["group:can-funnel"],
"attr": ["funnel"],
},
],
...
}
Examples
If you run the tailscale serve
command and HTTPS isn’t enabled on your tailnet,
a login server URL will be presented that can be followed to enable the feature. The same web UI
will offer to enable Tailscale Funnel, if it isn’t already enabled.
Start serving from your node: serve local files, directories or even static text.
You can also proxy requests to a locally running service. As an example, proxy requests to a web server at 127.0.0.1:3000, with
$ tailscale serve https / http://127.0.0.1:3000
Run tailscale serve --help
to see more examples.
You also need to turn on Funnel to expose the tailscale serve
server publicly, open to the entire internet:
$ tailscale funnel 443 on
Once that’s done, you can view the status of what’s being served and see the URL used to access your server:
$ tailscale funnel status
https://node-name.tailnet-name.ts.net (Funnel on)
|-- / proxy http://127.0.0.1:3000
Limitations
- DNS names are restricted to that of your tailnet’s domain name.
- The ports you can specify to expose your servers via Funnel are currently 443, 8443 and 10000.
- Traffic over Funnel is subject to bandwidth limits. They are not currently configurable.
- Due to macOS sandbox limitations, serving files and directories is limited to the open source variant.
Troubleshooting
This section provides troubleshooting tips if you are having an issue when running Tailscale Funnel.
Enable Funnel for your tailnet
Funnel is disabled by default, meaning that nodes in your tailnet are unable to enable public access unless you choose to enable the service. To enable Funnel, use the interactive CLI flow as described in the Setup section.
As an alternative to using the interactive web UI, you can manually set up Funnel:
- Enable Funnel from the Feature previews section in the General settings page of the admin console.
- Ensure an ACL exists that manages which nodes are allowed to accept internet traffic using Funnel. This will require modifying the tailnet policy file to include Funnel policies. You need to be an Owner, Admin, or Network admin of a tailnet in order to modify a tailnet policy file.
HTTPS required
Tailscale Funnel requires that you enable HTTPS on your tailnet. Tailscale Funnel automatically provisions TLS certificates for your unique tailnet DNS name—this functionality requires you to enable HTTPS. If you use the interactive CLI flow as described in the Setup section, Tailscale will enable HTTPS if it is not already enabled.
Node attribute required
Tailscale Funnel requires a node attribute (nodeAttrs
) of "funnel"
in your
tailnet policy file. If you use the interactive CLI flow as described in the Setup section, Tailscale will ensure this requirement is met.
As an alternative to the interactive CLI flow, you can manually add the node attribute for Funnel. You need to be an Owner, Admin, or Network admin of a tailnet in order modify a tailnet policy file.
- Open the Access controls page in the admin console.
- Click the Add Funnel to policy button.
This adds the default nodeAttrs
section and saves the tailnet policy file automatically. For a
different example of a nodeAttrs
section, see Tailnet policy file requirement.