tailscale serve command

Serve content and local servers from your Tailscale node to your tailnet.

You can also choose to enable Funnel via the tailscale funnel command which allows you to publish a tailscale serve server publicly, open to the entire Internet.

Tailscale Funnel is currently an invite-only feature. For more information and to find out how to get an invite, read our blog post Introducing Tailscale Funnel.

Usage:

serve https:<port> <mount-point> <source> [off]
serve tcp:<port> tcp://localhost:<local-port> [off]
serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]
serve status [--json]

Examples:

  • To proxy requests to a web server at 127.0.0.1:3000:

    $ tailscale serve https / http://127.0.0.1:3000
    
  • To serve a single file or a directory of files:

    $ tailscale serve https:443 / /home/alice/blog/index.html
    $ tailscale serve https:443 /images/ /home/alice/blog/images
    
  • To serve simple static text:

    $ tailscale serve https:443 / text:"Hello, world!"
    
  • To forward raw TCP packets to a local TCP server on port 5432:

    $ tailscale serve tcp:2222 tcp://localhost:22
    
  • To forward raw, TLS-terminated TCP packets to a local TCP server on port 80:

    $ tailscale serve tls-terminated-tcp:443 tcp://localhost:80
    

HTTPS server:

serve https:<port> <mount-point> <source> [off]

The serve offers an HTTPS server that has a few modes: a reverse proxy, a file server and a static text server. HTTPS traffic is secured using an automatically provisioned TLS certificate. By default, termination is done by your node’s Tailscale daemon itself.

  • https:<port> Specifies the port to listen on. The default port is 443 (HTTPS); however, you can use choose to use any valid port number. Note, if you plan to enable Funnel, you must use one of the allowed ports: 443, 8443, or 10000.

  • <mount-point> Is a slash-separated path URL path. The root-level mount point would simply be / and, would be matched by making a request to https://my-node.tailnet.ts.net/, for example. For more information on how these path patterns are matched, refer to the Go ServeMux documentation; our mount points behave similarly.

  • <source> Serve provides 4 options for serving content, an HTTP reverse proxy, a file or directory and static text. A reverse proxy allows you to forward requests to a local HTTP web server. Providing a local file path provides the ability to serve files or directories of files. Serving static text is available mostly for debugging purposes and serves a static response.

    • Reverse proxy

      To serve as a reverse proxy to a local backend, provide a URL for the <source> argument. Note that only http://127.0.0.1 is currently supported for proxies.

      Example: tailscale serve https / http://127.0.0.1:3000

    • File server

      Provide a full, absolute path, to the file or directory of files you wish to serve. If a directory is specified, this will render a simple directory listing with links to files and sub-directories.

      Example: tailscale serve https:443 / /home/alice/blog/index.html

    • Static text server:

      Specifying text:<value> as a <source> configures a simple static plain-text server.

      Example: tailscale serve https:443 / text:"Hello, world!"

TCP forwarder:

serve tcp:<port> tcp://localhost:<local-port> [off]
serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]

The serve command offers a TCP forwarder that can be used to forward both raw TCP packets and TLS-terminated TCP packets to a local TCP server. This is useful for forwarding packets to a local TCP server. For example, a web server like Caddy or other TCP-based protocols such as SSH, or RDP. By default, the TCP forwarder forwards raw packets.

  • tcp:<port> Sets up a raw TCP forwarder listening on the specified port. You can use choose to use any valid port number.

  • tls-terminated-tcp:<port> Sets up a TLS-terminated TCP forwarder listening on the specified port. You can use choose to use any valid port number.

  • tcp://localhost:<local-port> Specifies the local port to forward packets to.

Turning off a server:

  • [off] If you wish to turn off a server, you can provide the off argument at the end of the command. This will remove the server from the list of active servers.

    Example: tailscale serve https / http://localhost:3000 off

Viewing the status of your servers:

serve status [--json]

To view the status of your servers, you can use the status command. This will list all of the servers that are currently running on your node.

  • --json If you wish to view the status in JSON format, you can provide the --json argument.

    Example: tailscale serve status --json

  • funnel {on|off} Funnel allows you to publish a ’tailscale serve’ (HTTPS or TCP) server publicly, open to the entire internet. Turning off Funnel only turns off serving to the internet. Defaults to off. It does not affect serving to your tailnet.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2023 Tailscale Inc.

Privacy & Terms