App connectors

App connectors allow you to control device and user access to your third-party applications, without requiring any end user configuration. You can control access to software as a service (SaaS) applications available over your Tailscale network in the same way that you would administer access for your self-hosted applications.

This feature is currently in private alpha. Therefore, this topic is currently hidden.

How app connectors work

When you use an app connector, you specify which applications you wish to make accessible over the tailnet, and the domains for those applications. HTTPS traffic for the application is then forced over the tailnet to a node running an app connector before egressing to the target domains. This is useful for cases where the application has an allowlist of IP addresses which can connect to it: the IP address of the node running the app connector can be added to the allowlist, and all nodes on the tailnet will use that IP address for their traffic egress.

App connectors work by setting themselves as the nameservers for domains which should transit the tailnet. An app connector returns its own Tailscale IP address in response to any query. When it receives an HTTPS request, it decodes the server name indication (SNI) header to determine where on the public internet to steer the request. This request then egresses the tailnet through the appropriate app connector.

App connectors are an always-on feature. Domains configured to route through an app connector will always route through that app connector from all clients on the tailnet. Clients cannot override this functionality. App connectors will be used even when an exit node is enabled on a client’s device.

Add an app connector

You need to be an Owner, Admin, or Network admin of a tailnet in order to add an app connector.

  1. Open the Keys page of the admin console, and select Generate auth key. We recommend assigning a tag to the key to automatically tag a device when it is authenticated.

  2. Install the app connector on the device where you intend it to run. The app connector is available as a Docker image. We recommend running the Docker image in a detached mode. Insert your generated auth key to register the app connector with your tailnet.

    docker run --env TS\_AUTHKEY=<auth_key> -d -v ${PWD}:/root/.config/ tailscale/sniproxy:unstable

  3. Open the Access controls page of the admin console, and provide users access to the app connector by granting access to ports 53 (DNS) and port 443 (HTTPS) on the node running the app connector. You can optionally add HTTP port 80, which will automatically be upgraded to HTTPS by the app connector. Use the tag you assigned in the first step to apply these rules to all app connectors. The following example demonstrates granting the source autogroup:member app connector access, where the assigned device tag is app-connector:

{
  // app-connector
  "action": "accept",
  "src": ["autogroup:member"],
  "dst": [
    "tag:app-connector:53",
    "tag:app-connector:443",
    "tag:app-connector:80"
  ]
}

After you’ve added and registered the app connector for your tailnet, you must configure domains to route through the app connector, using the steps provided in the following section.

Add a domain to an app connector

You need to be an Owner, Admin, or Network admin of a tailnet in order to add a domain to an app connector.

  1. Open the Machines page of the admin console, and locate the app connector device. Look for the Connector badge in the device list, or use the attribute:connector filter to see all of the app connector devices in your tailnet.

  2. Click on the ellipsis icon menu next to the app connector device, and select Edit route settings.

  3. In the Domains section, add the domains that you want to route through the app connector.

The domain is now configured to route through the app connector. Traffic to the configured domains will now be carried over the tailnet to the app connector before egressing over the internet to the target domain, even when an exit node is enabled. The source IP address will be the public IP address of the device running the app connector.

Add an app connector to a SaaS IP allowlist

Many SaaS applications can be configured for access from only trusted IP addresses. The app connector allows you to always egress from a single or small set of known IP addresses, ensuring traffic to the SaaS application is coming from users and devices on your tailnet. To configure the IP allowlist, locate your SaaS provider’s IP allowlist configuration page and add the public IP addresses of every device where an app connector is installed for that SaaS application’s domains. If multiple app connectors are being used in high availability mode, add all of the app connector public IP addresses. You can often find the public IP address in your infrastructure provider’s administrative console.

Note that the Tailscale IP of the app connectors are private to the tailnet, and do not represent the public IP address from which an app connector will egress internet-bound traffic.

Remove a domain from an app connector

You need to be an Owner, Admin, or Network admin of a tailnet in order to remove a domain from an app connector.

  1. Open the Machines page of the admin console, and locate the app connector device. Look for the Connector badge in the device list, or use the attribute:connector filter to see all of the app connector devices in your tailnet.

  2. Click on the ellipsis icon menu next to the app connector device and select Edit route settings.

  3. In the Domains section, remove the domains that you no longer want to route through the app connector. If the domain is set up in high availability mode, repeat these steps across all relevant app connectors.

The domain is no longer configured to route through the app connector. Traffic to domain will now egress directly from the client device or over an exit node if one is enabled.

Remove an app connector

You need to be an Owner, Admin, or Network admin of a tailnet in order to remove an app connector.

  1. Before removing an app connector, make sure you first remove all domains from the app connector.

  2. Open the Machines page of the admin console, and locate the app connector device. Look for the Connector badge in the device list, or use the attribute:connector filter to see all of the app connector devices in your tailnet.

  3. Click on the ellipsis icon menu next to the app connector device, select Remove, and confirm the removal.

High availability

The same domain can be added to multiple app connectors to create a highly available fleet of app connectors. To do this, simply add the domain to each connector as described in add a domain to an app connector. Each client device will receive one of the available app connectors as the nameserver (NS) record for that domain. Traffic will then be routed through that app connector to the target domain.

When an app connector becomes unavailable while in high availability mode, Tailscale will quickly recognize the status change of the device and migrate clients to an available app connector when resolving DNS queries to the target domain.

Session affinity is not supported. At any time, the client may receive any of the other available app connectors as its nameserver, and depending on the client’s DNS caching rules, will then exit through a different public IP address within a browsing session.

Forwarding non-HTTPS traffic

The app connector can be configured to forward TCP traffic on certain ports to specific hosts. This can be useful if your target applications use non-standard ports or protocols other than HTTPS. For example, an app connector can be configured to forward git-over-ssh traffic to GitHub, so that developers don’t have to configure any ssh bastions to use GitHub over SSH.

To do so, include the forwarding parameter when spinning up the app connector using the syntax TS_APPC_FORWARDS=tcp/<port>/<fqdn>,tcp/<port>/<fqdn>, like so:

docker run --env TS_APPC_FORWARDS=tcp/22/github.com -d tailscale/sniproxy:unstable

If you are using an app connector to forward multiple ports, you can specify each in the command line:

docker run --env TS_APPC_FORWARDS=tcp/22/github.com,tcp/5000/example.com -d tailscale/sniproxy:unstable

Finally, add your forwarded ports to your ACL to allow traffic within the tailnet:

{
  // app-connector, with example.com and github.com traffic allowed
  "action": "accept",
  "src": ["autogroup:member"],
  "dst": [
    "tag:app-connector:53",
    "tag:app-connector:443",
    "tag:app-connector:5000",
    "tag:app-connector:22",
  ],
}

Considerations

  • When configuring a SaaS provider using this method, the provider often uses multiple domains. All of these domains need to be added to your app connector. A helpful resource for this is the v2fly project, which curates a list of known domains used by various services.
  • App connectors are an always-on feature. Domains configured to route through a specified app connector will always route through that app connector. Clients cannot override this functionality.
  • If an app connector becomes unavailable while in use, and no other app connectors are available for a particular domain, resolution to the domain will begin to fail until the app connector is again online.
  • To view all of the routes configured for use with app connectors, go to the DNS page of the admin console, and view the Nameservers section.
  • If an app connector is removed and then re-added to the tailnet, the app connector will receive a new Tailscale IP address, and traffic to a domain through that connector will no longer resolve.

Last updated

On This Page