Manage devices using the web interface

The web interface is a browser-based GUI available on all machines running the desktop platform of the Tailscale client, including Linux, macOS, and Windows. This allows you to configure settings without needing to use the Tailscale CLI or to configure settings on a device that does not have a built-in GUI.

A device must have Tailscale v1.56.0 or later installed to access its web interface.

Tailscale plug-ins for third-party software such as Unraid or Home Assistant frequently have the web interface running by default.

Start the web interface on a device

Before accessing the web interface for a device, you must enable it using the Tailscale CLI in a terminal session.

To run the web interface in foreground mode, open a terminal session on the device and run tailscale web. When you close the terminal session or press Ctrl + C, the web interface will stop.

To run the web interface persistently in the background, open a terminal session on the device and run tailscale set --webclient. This will keep the web interface running until you run tailscale set --webclient=false or disconnect the device from your tailnet.

Your tailnet policy file manages access to the web client. Any user on your tailnet, or any user with whom the device has been shared, with ACL access to the device’s port 5252 will be able to view its web interface.

Open and authenticate to the web interface

From your web browser, use one of the following methods to access the web interface for a device in your tailnet:

  • Go to to access the web interface on the device you are currently using
  • Go to <tailscaleIP>:5252 to access the web interface on another device, where tailscaleIP is the address for the device. This can only be done if the viewing user has access to port 5252 on the destination as permitted in your tailnet policy file.
  • Go to localhost:8080, or the address and port provided to tailscale web from the device running the web interface.
  • Some platforms, including Synology, expose the web interface over the LAN through their management console.

When you initially visit the web interface from a browser, you are always shown the read-only view, for security reasons. Anyone with access to the page can see the read-only view of the web interface. From here you can view metadata about the device, including its IP address, by clicking View device details.

To change device settings in the web interface, you must complete a check mode authentication step. Click your profile photo in the upper right, select Sign in, and then complete the authentication flow.

If the device is owned by a user, you must be the device owner to complete the check mode and make changes. If the device is assigned an ACL tag, any member of the tailnet (or users the device has been shared with) with access can complete the check mode and make changes.

To limit who can access the web interface for a device, modify your tailnet policy file to restrict access to port 5252 on devices running the web interface.


The web interface allows you to configure the Tailscale settings for a device. Not all features are available on every platform. When a feature is not supported for a platform, it will not appear in that device’s web interface.

Enable exit nodes

To select an exit node to route the device through, go to This device, click Exit node, then select the exit node you want to use. To stop using the exit node, click Disable.

To advertise the device as an exit node, go to This device, click Exit node, then select Run as exit node. To stop advertising the device as an exit node, click Disable.

Enable a subnet router

Configuring a device as a subnet router allows you to remotely access resources on your network that may not have Tailscale installed, such as a printer.

To use the device as a subnet router, go to Settings and click Subnet router drop-down. In the text field, enter the combined IP address and subnet mask (CIDR) you want to advertise to your tailnet and click Advertise routes. You can enter multiple subnets by separating them with commas. To stop advertising routes, click Stop advertising next to the route.

If your advertised routes are pending approval, you can enable subnet routes from the admin console.

Enable Tailscale SSH

To enable Tailscale SSH on the device, go to Settings, click Tailscale SSH server, then turn the toggle on. To disable the Tailscale SSH server, turn the toggle off.