Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Get started
Login
© 2024

tailscale funnel command

The CLI commands for both Tailscale Funnel and Tailscale Serve have changed in the 1.52 version of the Tailscale client. If you’ve used Funnel or Serve in previous versions, we recommend reviewing the CLI documentation.

tailscale funnel lets you share a local service over the internet. You can also choose to use Tailscale Serve using the tailscale serve command to limit sharing within your tailnet.

tailscale funnel [flags] <target>

Sub-commands:

  • status Shows the status
  • reset Resets the configuration

To see various use cases and examples, see Tailscale Funnel examples.

Funnel command flags

Available flags:

  • --bg Determines whether the command should run as a background process.
  • --set-path Appends the specified path to the base URL for accessing the underlying service.
  • --https <port> Expose an HTTPS server at the specified port (default).
  • --tcp <port> Expose a TCP forwarder to forward TCP packets at the specified port.
  • --tls-terminated-tcp <port> Expose a TCP forwarder to forward TLS-terminated TCP packets at the specified port.

The tailscale funnel command accepts a target that can be a file, directory, text, or most commonly, the location to a service running on the local machine. The location to the local service can be expressed as a port number (for example, 3000), a partial URL (for example, localhost:3000), or a full URL including a path (for example, tls-terminated-tcp://localhost:3000/foo).

Use HTTPS and HTTP servers

tailscale funnel --https=<port> <target> [off]

The funnel offers an HTTPS server that has a few modes: a reverse proxy, a file server, and a static text server. HTTPS traffic is secured using an automatically provisioned TLS certificate. By default, termination is done by your node's Tailscale daemon itself.

  • --https=<port> Specifies the port to listen on. For Funnel, you must use one of the allowed ports: 443, 8443, or 10000.

  • --set-path Is a slash-separated URL path. The root-level mount point would simply be / and would be matched by making a request to https://my-node.example.ts.net/, for example. For more information on how these path patterns are matched, refer to the Go ServeMux documentation. Our mount points behave similarly.

  • <target> Funnel provides 4 options for serving content: an HTTP reverse proxy, a file, a directory, and static text. A reverse proxy lets you forward requests to a local HTTP web server. Providing a local file path provides the ability to serve files or directories of files. Serving static text is available mostly for debugging purposes and serves a static response.

    • Reverse proxy

      To serve as a reverse proxy to a local backend, provide the location of the <target> argument. The location to the local service can be expressed as a port number (for example, 3000), a partial URL (for example, localhost:3000), or a full URL including a path (for example, tls-terminated-tcp://localhost:3000/foo). Note that only http://127.0.0.1 is currently supported for proxies.

      Example: tailscale funnel localhost:3000

    • File server

      Provide a full, absolute path, to the file or directory of files you wish to serve. If a directory is specified, this will render a simple directory listing with links to files and subdirectories.

      Example: tailscale funnel /home/alice/blog/index.html

      Due to macOS app sandbox limitations, this option is only available when using Tailscale's open source variant. If you've installed Tailscale on macOS through the Mac App Store or as a standalone System Extension, you can use Funnel to share ports but not files or directories.

    • Static text server

      Specifying text:<value> as a <target> configures a simple static plain-text server.

      Example: tailscale funnel text:"Hello, world!"

Use a TCP forwarder

tailscale funnel tcp <port> tcp://localhost:<local-port> [off]
tailscale funnel tls-terminated-tcp <port> tcp://localhost:<local-port> [off]

The funnel command offers a TCP forwarder to forward TLS-terminated TCP packets to a local TCP server like Caddy or other TCP-based protocols such as SSH or RDP. By default, the TCP forwarder forwards raw packets.

  • tcp <port> Sets up a raw TCP forwarder listening on the specified port. You can use any valid port number.

  • tls-terminated-tcp <port> Sets up a TLS-terminated TCP forwarder listening on the specified port. You can use any valid port number.

Use valid certificates

tailscale funnel <https:target>

If you have a valid certificate, use https in the <target> argument.

Example: tailscale funnel https://localhost:8443

Ignore invalid and self-signed certificate checks

tailscale funnel <https+insecure:target>

If you run a local web server using HTTPS with a self-signed or otherwise invalid certificate, you can specify https+insecure as a special pseudo-protocol for your tailscale funnel commands.

Example: tailscale funnel https+insecure://localhost:8443

View the status

tailscale funnel status [--json]

To view the status of your servers, you can use the status sub-command. This will list all the servers that are currently running on your node.

  • --json If you wish to view the status in JSON format, you can provide the --json argument.

Example: tailscale funnel status --json

Reset Tailscale Funnel

tailscale funnel reset

To clear the current tailscale funnel configuration, use the reset sub-command.

Disable Tailscale Funnel

  • [off] To turn off a tailscale funnel command, you can add off to the end of the command you used to turn it on. This will remove the server from the list of active servers. In off commands, the <target> argument is optional, but all original flags are required.

If this command turned on a server:

tailscale funnel --https=443 /home/alice/blog/index.html

You can turn it off by running:

tailscale funnel --https=443 /home/alice/blog/index.html off

You can omit the <target> argument, so these 2 commands are equivalent:

tailscale funnel --https=443 --set-path=/foo /home/alice/blog/index.html off
tailscale funnel --https=443 --set-path=/foo off

Effects of rebooting and restarting

If you use the tailscale funnel command with the -bg flag, it runs persistently in the background until you disable it. When you reboot the device or restart Tailscale from the command line using tailscale down and tailscale up, Funnel will automatically resume sharing.

If you use the tailscale funnel command without the -bg flag, then reboot the device or restart Tailscale from the command line, Funnel must be restarted manually to resume sharing.

Last updated Sep 11, 2024