Get started
© 2024

Using Tailscale with Docker

Tailscale has a published Docker image that Tailscale manages and builds from source. It's available in Docker Hub and GitHub Packages.

Pull image

To pull the image, run:

docker pull tailscale/tailscale:latest


docker pull

The current version of the Makefile required for the examples in this doc is in the tailscale repo.

Supported tags

Containers are tagged based on the Tailscale versioning scheme.

  • Use stable or latest to get the latest stable version.
    • v1.58.2, v1.58 to get a specific stable version.
  • Use unstable to get the latest unstable version.
    • unstable-v1.59.37, unstable-v1.59.44 to get a specific unstable version.


You can set additional parameters for use with the image. All configuration is optional.


Accept DNS configuration from the admin console. Not accepted by default.


Attempt to log in only if not already logged in. False by default, to forcibly log in every time the container starts.


An auth key used to authenticate the container. This is equivalent to what you'd pass to tailscale login --authkey=.

It is also possible to use an OAuth client secret here but the associated tag must be provided using TS_EXTRA_ARGS=--advertise-tags=tag:ci.

To mark a containerized node as ephemeral append ?ephemeral=true to the auth key or OAuth client secret.


Proxy all incoming Tailscale traffic to the specified destination IP.


If running in Kubernetes, the Kubernetes secret name where Tailscale state is stored. The default is tailscale.

If TS_AUTHKEY is not set, and TS_KUBE_SECRET contains a secret with an authkey field, that key is used as a Tailscale auth key.


Use the specified hostname for the node. This is equivalent to tailscale set --hostname=.


Set an address and port for the HTTP proxy. This will be passed to tailscaled --outbound-http-proxy-listen=. For example, to set the SOCKS5 proxy to port 1055, this is :1055, which is equivalent to tailscaled --outbound-http-proxy-listen=:1055.


Advertise subnet routes. This is equivalent to tailscale set --advertise-routes=. To accept advertised routes, use TS_EXTRA_ARGS to pass in --accept-routes.


Accepts a JSON file to programatically configure Serve and Funnel functionality. Use tailscale serve -json to export your current configuration in the correct format.

If this file is bind mounted using a Docker volume, it must be done so as a directory and not an individual file for configuration updates to be correctly detected.


Unix socket path used by the Tailscale binary, where the tailscaled LocalAPI socket is created. The default is /var/run/tailscale/tailscaled.sock. This is equivalent to tailscaled tailscale --socket=.


Set an address and port for the SOCKS5 proxy. This will be passed to tailscaled --socks5-server=. For example, to set the SOCKS5 proxy to port 1055, this is :1055, which is equivalent to tailscaled --socks5-server=:1055.


Directory where the state of tailscaled is stored. This needs to persist across container restarts. This will be passed to tailscaled --statedir=.

When running on Kubernetes, state is stored by default in the Kubernetes secret with name:tailscale. To store state on local disk instead, set TS_KUBE_SECRET="" and TS_STATE_DIR=/path/to/storage/dir.


Enable userspace networking, instead of kernel networking. Enabled by default. This is equivalent to tailscaled --tun=userspace-networking.

Extra arguments


Any other flags to pass in to the Tailscale CLI in a tailscale set command.


Any other flags to pass in to tailscaled.

Code examples

Below is a complete docker-compose code snippet utlizing an OAuth client secret.

version: "3.7"
    image: tailscale/tailscale:latest
    hostname: tailscale-nginx
      - TS_AUTHKEY=tskey-client-notAReal-OAuthClientSecret1Atawk
      - TS_EXTRA_ARGS=--advertise-tags=tag:container
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=false
      - ${PWD}/tailscale-nginx/state:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
      - net_admin
      - sys_module
    restart: unless-stopped
    image: nginx
      - tailscale-nginx
    network_mode: service:tailscale-nginx

More examples can be found in tailscale-dev/docker-guide-code-examples.