Manage devices using the web interface
The web interface is a browser-based GUI available on all machines running the desktop platform of the Tailscale client, including Linux, macOS, and Windows. This allows you to configure settings without needing to use the Tailscale CLI or to configure settings on a device that does not have a built-in GUI.
Before accessing the web interface for a device, you must enable it using the Tailscale CLI in a terminal session.
To run the web interface in foreground mode, open a terminal session on the device and run
tailscale web. When you close the terminal session or press
C, the web interface will stop.
To run the web interface persistently in the background, open a terminal session on the device and run
tailscale set --webclient. This will keep the web interface running until you run
tailscale set --webclient=false or disconnect the device from your tailnet.
From your web browser, use one of the following methods to access the web interface for a device in your tailnet:
- Go to
100.100.100.100to access the web interface on the device you are currently using
- Go to
<tailscaleIP>:5252to access the web interface on another device, where
tailscaleIPis the address for the device. This can only be done if the viewing user has access to port 5252 on the destination as permitted in your tailnet policy file.
- Go to
localhost:8080, or the address and port provided to
tailscale webfrom the device running the web interface.
- Some platforms, including Synology, expose the web interface over the LAN through their management console.
When you initially visit the web interface from a browser, you are always shown the read-only view, for security reasons. Anyone with access to the page can see the read-only view of the web interface. From here you can view metadata about the device, including its IP address, by clicking View device details.
To change device settings in the web interface, you must complete a check mode authentication step. Click your profile photo in the upper right, select Sign in, and then complete the authentication flow.
If the device is owned by a user, you must be the device owner to complete the check mode and make changes. If the device is assigned an ACL tag, any member of the tailnet (or users the device has been shared with) with access can complete the check mode and make changes.
To limit who can access the web interface for a device, modify your tailnet policy file to restrict access to port 5252 on devices running the web interface.
The web interface allows you to configure the Tailscale settings for a device. Not all features are available on every platform. When a feature is not supported for a platform, it will not appear in that device’s web interface.
To select an exit node to route the device through, go to This device, click Exit node, then select the exit node you want to use. To stop using the exit node, click Disable.
To advertise the device as an exit node, go to This device, click Exit node, then select Run as exit node. To stop advertising the device as an exit node, click Disable.
Configuring a device as a subnet router allows you to remotely access resources on your network that may not have Tailscale installed, such as a printer.
To use the device as a subnet router, go to Settings and click Subnet router drop-down. In the text field, enter the combined IP address and subnet mask (CIDR) you want to advertise to your tailnet and click Advertise routes. You can enter multiple subnets by separating them with commas. To stop advertising routes, click Stop advertising next to the route.
If your advertised routes are pending approval, you can enable subnet routes from the admin console.
To enable Tailscale SSH on the device, go to Settings, click Tailscale SSH server, then turn the toggle on. To disable the Tailscale SSH server, turn the toggle off.