Tailscale Funnel is a feature that allows you to route traffic from the wider internet to one or more of your Tailscale nodes. You can think of this as publicly sharing a node for anyone to access, even if they don’t have Tailscale themselves. This page provides information about how to set up Funnel on your own Tailscale network (known as a tailnet) and how it works; for more specific use cases, see Tailscale Funnel and serve examples.

How it works

When you turn Tailscale Funnel on, we set up public DNS records for your node-name.tailnet-name.ts.net to point to Funnel servers that we run. When someone accesses that URL, our Funnel servers accept the incoming request and send a TCP proxy over Tailscale to your node. Your Tailscale node then terminates the TLS, which means that our Funnel ingress nodes don’t see any information about this traffic or what’s being served. We can only see the source IP and port, the SNI name, and the number of bytes passing through.

We run a series of Funnel servers around the world that handles incoming internet traffic. These servers will show up in your node’s list of Tailscale peers, which are visible in the CLI with tailscale serve status --json. These nodes don’t have access to connect to your nodes directly. The only thing they’re allowed to do is offer a TCP connection, which your nodes can accept or reject.

Setup

Tailscale Funnel is off by default and double opt-in.

The Tailscale CLI command tailscale funnel provides an interactive web UI that will prompt you to allow Tailscale to enable Tailscale Funnel on your behalf. The specific actions that will be taken (if allowed by you) are:

• Ensuring you have HTTPS certificates enabled for your tailnet in the admin console.
• Ensuring a funnel attribute under nodeAttrs that allows your device to use Funnel exists in your tailnet policy file.

The funnel CLI will prompt you as needed and send you to a web consent page to enable any unmet requirements.

Tailnet policy file requirement

Tailscale Funnel requires a node attribute (nodeAttrs) of "funnel" in your tailnet policy file, which determines who can use Funnel on your tailnet. The web UI flow prompts you to allow Tailscale to create this node attribute, if it doesn’t already exist.

The default funnel attribute allows Tailscale Funnel to the nodes managed by the autogroup:member group, so by default, you will see this in the web UI:

"nodeAttrs": [
	{
		"target": ["autogroup:member"],
		"attr":   ["funnel"],
	},
],

Alternatively, instead of using the autogroup:member group, you can use a different group:

{
	"Groups": {
		"group:can-funnel": [
		"alice@example.com",
		"bob@example.com",
		],
		...
	},
	"nodeAttrs": [
		{
			"target": ["group:can-funnel"],
			"attr":   ["funnel"],
		},
	],
...
}

Examples

If you run the tailscale serve command and HTTPS isn’t enabled on your tailnet, a login server URL will be presented that can be followed to enable the feature. The same web UI will offer to enable Tailscale Funnel, if it isn’t already enabled.

Start serving from your node: serve local files, directories or even static text.

You can also proxy requests to a locally running service. As an example, proxy requests to a web server at 127.0.0.1:3000, with

$ tailscale serve https / http://127.0.0.1:3000

Run tailscale serve --help to see more examples.

You also need to turn on Funnel to expose the tailscale serve server publicly, open to the entire internet:

$ tailscale funnel 443 on

Once that’s done, you can view the status of what’s being served and see the URL used to access your server:

$ tailscale funnel status
https://node-name.tailnet-name.ts.net (Funnel on)
|-- / proxy http://127.0.0.1:3000

Limitations

• DNS names are restricted to that of your tailnet’s domain name.
• The ports you can specify to expose your servers via Funnel are currently 443, 8443 and 10000.
• Traffic over Funnel is subject to bandwidth limits. They are not currently configurable.
• Due to macOS sandbox limitations, serving files and directories is limited to the open source variant.

Troubleshooting

This section provides troubleshooting tips if you are having an issue when running Tailscale Funnel.

Enable Funnel for your tailnet

Funnel is disabled by default, meaning that nodes in your tailnet are unable to enable public access unless you choose to enable the service. To enable Funnel, use the interactive CLI flow as described in the Setup section.

As an alternative to using the interactive web UI, you can manually set up Funnel:

1. Enable Funnel from the Feature previews section in the General settings page of the admin console.
2. Ensure an ACL exists that manages which nodes are allowed to accept internet traffic using Funnel. This will require modifying the tailnet policy file to include Funnel policies. You need to be an Owner, Admin, or Network admin of a tailnet in order to modify a tailnet policy file.

HTTPS required

Tailscale Funnel requires that you enable HTTPS on your tailnet. Tailscale Funnel automatically provisions TLS certificates for your unique tailnet DNS name—this functionality requires you to enable HTTPS. If you use the interactive CLI flow as described in the Setup section, Tailscale will enable HTTPS if it is not already enabled.

Node attribute required

Tailscale Funnel requires a node attribute (nodeAttrs) of "funnel" in your tailnet policy file. If you use the interactive CLI flow as described in the Setup section, Tailscale will ensure this requirement is met.

As an alternative to the interactive CLI flow, you can manually add the node attribute for Funnel. You need to be an Owner, Admin, or Network admin of a tailnet in order modify a tailnet policy file.

1. Open the Access controls page in the admin console.
2. Click the Add Funnel to policy button.

This adds the default nodeAttrs section and saves the tailnet policy file automatically. For a different example of a nodeAttrs section, see Tailnet policy file requirement.