tailscale up command
tailscale up connects your device to Tailscale, and authenticates if needed.
tailscale up [flags]
tailscale up without any flags connects to Tailscale.
You can specify flags to configure Tailscale’s behavior. Flags are not persisted between runs; you must specify all flags each time.
To clear previously set flags like tags and routes, pass the flag with an empty argument:
# Connects with `tag:server` tailscale up --advertise-tags=tag:server # Connects and clears any tags tailscale up --advertise-tags=
In Tailscale v1.8 or later, if you forget to specify a flag you added before, the CLI will warn you and provide a copyable command that includes all existing flags.
--accept-dnsAccept DNS configuration from the admin console. Defaults to accepting DNS settings.
--accept-risk=<risk>Accept risk and skip confirmation for risk type. This can be either
all, or an empty string to not accept risk.
--accept-routesAccept subnet routes that other nodes advertise. Linux devices default to not accepting routes.
--advertise-exit-nodeOffer to be an exit node for outbound internet traffic from the Tailscale network. Defaults to not offering to be an exit node.
--advertise-routes=<ip>Expose physical subnet routes to your entire Tailscale network.
--advertise-tags=<tags>Give tagged permissions to this device. You must be listed in
"TagOwners"to be able to apply tags.
--authkey=<key>Provide an auth key to automatically authenticate the node as your user account.
--exit-node=<ip|name>Provide a [Tailscale IP][ip-address] or [machine name][machine-name] to use as an exit node. To disable the use of an exit node, pass the flag with an empty argument:
--exit-node-allow-lan-accessAllow direct access to the local network when routing traffic via an exit node. Defaults to not allowing direct access to your LAN.
--hostname=<name>Provide a hostname to use for the device instead of the one provided by the OS. Note that this will change the machine name used in MagicDNS.
--login-server=<url>Provide the base URL of a control server instead of
https://controlplane.tailscale.com. If you are using [Headscale][headscale] for your control server, use your Headscale instance’s URL.
--netfilter-mode(Linux only) Advanced feature for controlling the degree of automatic firewall configuration. Values are either “off”, “nodivert”, or “on”. Defaults to “on”, except for Synology which defaults to “off”. Setting this flag to “off” disables all management of
netfilter. Setting to “nodivert” creates and manages Tailscale sub-chains, but leaves the calling of those chains up to the administrator. Setting to “on” means using full management of Tailscale’s rules. Note that if you set
--netfilter-modeto “off” or “nodivert”, it is your responsibility to configure the firewall securely for Tailscale traffic. We recommend using the rules installed by
--netfilter-mode=onas a starting point.
--operator=<user>Provide a Unix username other than
--qrGenerate a QR code for the web login URL. Defaults to not showing a QR code.
--resetReset unspecified settings to default values.
--shields-upBlock incoming connections from other devices on your Tailscale network. Useful for personal devices that only make outgoing connections.
--snat-subnet-routes(Linux only) Source NAT traffic to local routes that are advertised with
--advertise-routes. Defaults to sourcing the NAT traffic to the advertised routes. Set to false to disable subnet route masquerading.
--sshRun a Tailscale SSH server, permitting access per the tailnet admin’s declared access policy, or the default policy if none is defined. Defaults to false.
--timeout=<duration>Maximum amount of time to wait for the Tailscale service to initialize.
durationcan be any value parseable by
time.ParseDuration(). Defaults to
0s, which blocks forever.
--unattended(Windows only) Run in unattended mode where Tailscale keeps running even after the current user logs out.