tailscale up command
tailscale up connects your device to Tailscale, and authenticates if needed.
tailscale up [flags]
Running tailscale up without any flags connects to Tailscale.
You can specify flags to configure Tailscale's behavior. Flags are not persisted between runs; you must specify all flags each time.
To clear previously set flags like tags and routes, pass the flag with an empty argument:
# Connects with `tag:server`
tailscale up --advertise-tags=tag:server
# Connects and clears any tags
tailscale up --advertise-tags=
In Tailscale v1.8 or later, if you forget to specify a flag you added before, the CLI will warn you and provide a copyable command that includes all existing flags.
Available flags:
--accept-dnsAccept DNS configuration from the admin console. Defaults to accepting DNS settings.--accept-risk=<risk>Accept risk and skip confirmation for risk type. This can be eitherlose-sshorall, or an empty string to not accept risk.--accept-routesAccept subnet routes that other nodes advertise. Linux devices default to not accepting routes.--advertise-exit-nodeOffer to be an exit node for outbound internet traffic from the Tailscale network. Defaults to not offering to be an exit node.--advertise-routes=<ip>Expose physical subnet routes to your entire Tailscale network.--advertise-tags=<tags>Give tagged permissions to this device. You must be listed in"TagOwners"to be able to apply tags.--authkey=<key>Provide an auth key to automatically authenticate the node as your user account.--exit-node=<ip|name>Provide a Tailscale IP or machine name to use as an exit node. To disable the use of an exit node, pass the flag with an empty argument:--exit-node=.--exit-node-allow-lan-accessAllow the client node access to its own LAN while connected to an exit node. Defaults to not allowing access while connected to an exit node.--force-reauthForce re-authentication.--hostname=<name>Provide a hostname to use for the device instead of the one provided by the OS. Note that this will change the machine name used in MagicDNS.--login-server=<url>Provide the base URL of a control server instead ofhttps://controlplane.tailscale.com. If you are using Headscale for your control server, use your Headscale instance's URL.--netfilter-mode(Linux only) Advanced feature for controlling the degree of automatic firewall configuration. Values are either "off", "nodivert", or "on". Defaults to "on", except for Synology which defaults to "off". Setting this flag to "off" disables all management ofnetfilter. Setting to "nodivert" creates and manages Tailscale sub-chains, but leaves the calling of those chains up to the administrator. Setting to "on" means using full management of Tailscale's rules. Note that if you set--netfilter-modeto "off" or "nodivert", it is your responsibility to configure the firewall securely for Tailscale traffic. We recommend using the rules installed by--netfilter-mode=onas a starting point.--operator=<user>Provide a Unix username other thanrootto operatetailscaled.--qrGenerate a QR code for the web login URL. Defaults to not showing a QR code.--resetReset unspecified settings to default values.--shields-upBlock incoming connections from other devices on your Tailscale network. Useful for personal devices that only make outgoing connections.--snat-subnet-routes(Linux only) Source NAT traffic to local routes that are advertised with--advertise-routes. Defaults to sourcing the NAT traffic to the advertised routes. Set to false to disable subnet route masquerading.--sshRun a Tailscale SSH server, permitting access per the tailnet admin's declared access policy, or the default policy if none is defined. Defaults to false.--timeout=<duration>Maximum amount of time to wait for the Tailscale service to initialize.durationcan be any value parseable bytime.ParseDuration(). Defaults to0s, which blocks forever.--unattended(Windows only) Run in unattended mode where Tailscale keeps running even after the current user logs out.