tailscale serve command

The CLI commands for both Tailscale Funnel and Tailscale Serve have changed in the 1.52 version of the Tailscale client. If you’ve used Funnel or Serve in previous versions, we recommend reviewing the CLI documentation.

tailscale serve allows you to share a local service securely within your tailnet.

tailscale serve [flags] <target>

You can also choose to use Tailscale Funnel via the tailscale funnel command to expose your service publicly, open to the entire internet.

Sub-commands:

  • status Shows the status
  • reset Resets the configuration

To see various use cases and examples, see Tailscale Serve examples.

Serve command flags

Available flags:

  • --bg Determines whether the command should run as a background process.
  • --set-path Appends the specified path to the base URL for accessing the underlying service.
  • --https <port> Expose an HTTPS server at the specified port (default).
  • --http <port> Expose an HTTP server at the specified port.
  • --tcp <port> Expose a TCP forwarder to forward TCP packets at the specified port.
  • --tls-terminated-tcp <port> Expose a TCP forwarder to forward TLS-terminated TCP packets at the specified port.

The tailscale serve command accepts a target that can be a file, directory, text, or most commonly, the location to a service running on the local machine. The location to the local service can be expressed as a port number (e.g., 3000), a partial URL (e.g., localhost:3000), or a full URL including a path (e.g., tcp://localhost:3000/foo, https+insecure://localhost:3000/foo).

Use HTTPS and HTTP servers 

tailscale serve --https=<port> <target> [off]
tailscale serve --http=<port> <target> [off]

The serve offers an HTTPS and HTTP server that has a few modes: a reverse proxy, a file server, and a static text server. HTTPS traffic is secured using an automatically provisioned TLS certificate. By default, termination is done by your node’s Tailscale daemon itself.

  • --https=<port> or http=<port> Specifies the port to listen on

  • --set-path Is a slash-separated URL path. The root-level mount point would simply be / and would be matched by making a request to https://my-node.example.ts.net/, for example. For more information on how these path patterns are matched, refer to the Go ServeMux documentation. Our mount points behave similarly.

  • <target> Serve provides 4 options for serving content: an HTTP reverse proxy, a file, a directory, and static text. A reverse proxy allows you to forward requests to a local HTTP web server. Providing a local file path provides the ability to serve files or directories of files. Serving static text is available mostly for debugging purposes and serves a static response.

    • Reverse proxy

      To serve as a reverse proxy to a local backend, provide the location of the <target> argument. The location to the local service can be expressed as a port number (e.g., 3000), a partial URL (e.g., localhost:3000), or a full URL including a path (e.g., tcp://localhost:3000/foo, https+insecure://localhost:3000/foo). Note that only http://127.0.0.1 is currently supported for proxies.

      Example: tailscale serve localhost:3000

      Or, to serve over HTTP:

      Example: tailscale serve --http=80 localhost:3000

      HTTP servers are accessible via short MagicDNS names like http://my-node

    • File server

      Provide a full, absolute path to the file or directory of files you wish to serve. If a directory is specified, this will render a simple directory listing with links to files and sub-directories.

      Example: tailscale serve /home/alice/blog/index.html

      Due to macOS app sandbox limitations, this option is only available when using Tailscale’s open source variant. If you’ve installed Tailscale on macOS through the Mac App Store or as a standalone System Extension, you can use Serve to share ports but not files or directories.

    • Static text server

      Specifying text:<value> as a <target> configures a simple static plain-text server.

      Example: tailscale serve text:"Hello, world!"

Use a TCP forwarder 

serve tcp:<port> tcp://localhost:<local-port> [off]
serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]

The serve command offers a TCP forwarder that can be used to forward both raw TCP packets and TLS-terminated TCP packets to a local TCP server like Caddy or other TCP-based protocols such as SSH or RDP. By default, the TCP forwarder forwards raw packets.

  • tcp:<port> Sets up a raw TCP forwarder listening on the specified port. You can use any valid port number.

  • tls-terminated-tcp:<port> Sets up a TLS-terminated TCP forwarder listening on the specified port. You can use any valid port number.

  • tcp://localhost:<local-port> Specifies the local port to forward packets to.

Use a valid certificate 

tailscale serve <https:target>

If you have a valid certificate, use https in the <target> argument.

Example: tailscale serve https://localhost:8443

Ignore invalid and self-signed certificate checks 

tailscale serve <https+insecure:target>

If you run a local web server using HTTPS with a self-signed or otherwise invalid certificate, you can specify https+insecure as a special pseudo-protocol for your tailscale serve commands.

Example: tailscale serve https+insecure://localhost:8443

View the status 

tailscale serve status [--json]

To view the status of your servers, you can use the status sub-command. This will list all of the servers that are currently running on your node.

  • --json If you wish to view the status in JSON format, you can provide the --json argument.

    Example: tailscale serve status --json

Reset Tailscale Serve 

tailscale serve reset

To clear out the current tailscale serve configuration, use the reset sub-command.

Disable Tailscale Serve

  • [off] To turn off a tailscale serve command, you can add off to the end of the command you used to turn it on. This will remove the server from the list of active servers. In off commands, the <target> argument is optional, but all original flags are required.

If this command turned on a server:

$ tailscale serve --https=443 /home/alice/blog/index.html

You can turn it off by running:

$ tailscale serve --https=443 /home/alice/blog/index.html off

You can omit the <target> argument, so these 2 commands are equivalent:

$ tailscale serve --https=443 --set-path=/foo /home/alice/blog/index.html off
$ tailscale serve --https=443 --set-path=/foo off

Effects of rebooting and restarting

If you use the tailscale serve command with the -bg flag, it runs persistently in the background until you disable it. When you reboot the device or restart Tailscale from the command line using tailscale down and tailscale up, Serve will automatically resume sharing.

If you use the tailscale serve command without the -bg flag, then reboot the device or restart Tailscale from the command line, Serve must be restarted manually to resume sharing.

Last updated

On This Page