tailscale up command

tailscale up connects your device to Tailscale, and authenticates if needed.

tailscale up [flags]

Running tailscale up without any flags connects to Tailscale.

You can specify flags to configure Tailscale’s behavior. Flags are not persisted between runs; you must specify all flags each time.

To clear previously set flags like tags and routes, pass the flag with an empty argument:

# Connects with `tag:server`
tailscale up --advertise-tags=tag:server

# Connects and clears any tags
tailscale up --advertise-tags=

In Tailscale v1.8 or later, if you forget to specify a flag you added before, the CLI will warn you and provide a copyable command that includes all existing flags.

Available flags:

  • --accept-dns Accept DNS configuration from the admin console. Defaults to accepting DNS settings.
  • --accept-risk=<risk> Accept risk and skip confirmation for risk type. This can be either lose-ssh or all, or an empty string to not accept risk.
  • --accept-routes Accept subnet routes that other nodes advertise. Linux devices default to not accepting routes.
  • --advertise-exit-node Offer to be an exit node for outbound internet traffic from the Tailscale network. Defaults to not offering to be an exit node.
  • --advertise-routes=<ip> Expose physical subnet routes to your entire Tailscale network.
  • --advertise-tags=<tags> Give tagged permissions to this device. You must be listed in "TagOwners" to be able to apply tags.
  • --authkey=<key> Provide an auth key to automatically authenticate the node as your user account.
  • --exit-node=<ip|name> Provide a Tailscale IP or machine name to use as an exit node. To disable the use of an exit node, pass the flag with an empty argument: --exit-node=.
  • --exit-node-allow-lan-access Allow the client node access to its own LAN while connected to an exit node. Defaults to not allowing access while connected to an exit node.
  • --force-reauth Force re-authentication.
  • --hostname=<name> Provide a hostname to use for the device instead of the one provided by the OS. Note that this will change the machine name used in MagicDNS.
  • --login-server=<url> Provide the base URL of a control server instead of https://controlplane.tailscale.com. If you are using Headscale for your control server, use your Headscale instance’s URL.
  • --netfilter-mode (Linux only) Advanced feature for controlling the degree of automatic firewall configuration. Values are either “off”, “nodivert”, or “on”. Defaults to “on”, except for Synology which defaults to “off”. Setting this flag to “off” disables all management of netfilter. Setting to “nodivert” creates and manages Tailscale sub-chains, but leaves the calling of those chains up to the administrator. Setting to “on” means using full management of Tailscale’s rules. Note that if you set --netfilter-mode to “off” or “nodivert”, it is your responsibility to configure the firewall securely for Tailscale traffic. We recommend using the rules installed by --netfilter-mode=on as a starting point.
  • --operator=<user> Provide a Unix username other than root to operate tailscaled.
  • --qr Generate a QR code for the web login URL. Defaults to not showing a QR code.
  • --reset Reset unspecified settings to default values.
  • --shields-up Block incoming connections from other devices on your Tailscale network. Useful for personal devices that only make outgoing connections.
  • --snat-subnet-routes (Linux only) Source NAT traffic to local routes that are advertised with --advertise-routes. Defaults to sourcing the NAT traffic to the advertised routes. Set to false to disable subnet route masquerading.
  • --ssh Run a Tailscale SSH server, permitting access per the tailnet admin’s declared access policy, or the default policy if none is defined. Defaults to false.
  • --timeout=<duration> Maximum amount of time to wait for the Tailscale service to initialize. duration can be any value parseable by time.ParseDuration(). Defaults to 0s, which blocks forever.
  • --unattended(Windows only) Run in unattended mode where Tailscale keeps running even after the current user logs out.