Get started
Login
© 2024

Taildrive

Taildrive allows you to persistently share folders with other users and devices on your Tailscale network (known as a tailnet). Using Taildrive, you could:

  • Share folders with your colleagues.
  • Access files from your desktop PC or NAS server from your phone, anywhere in the world.
  • Connect a backup utility, like Duplicati or rclone, to a Taildrive folder on your NAS.
Taildrive is currently in alpha. To try it, follow the steps below to enable it for your network using Tailscale 1.64.0 or later.

How it works

Normally, maintaining a file server requires you to manage credentials and access rules separately from the connectivity layer. Taildrive offers a file server that unifies connectivity and access controls, allowing you to share directories directly from the Tailscale client. You can then use your tailnet policy file to define which members of your tailnet can access a particular shared directory, and even define specific read and write permissions.

Beginning in version 1.64.0, the Tailscale client includes a WebDAV server that runs on 100.100.100.100:8080 while Tailscale is connected. Every directory that you share receives a globally-unique path consisting of the tailnet, the machine name, and the share name: /tailnet/machine/share.

For example, if you shared a directory with the share name docs from the machine mylaptop on the tailnet mydomain.com, the share's path would be /mydomain.com/mylaptop/docs.

Configure Taildrive

Taildrive's server component is only available on Linux, macOS, and Windows devices. iOS and Android devices can access directories shared from these platforms, but cannot share directories themselves.

Enable Taildrive in the policy file

You need to be an Owner, Admin, or Network admin to edit the tailnet policy file. Enabling Taildrive requires two steps: Enabling Taildrive on devices by setting a nodeAttr, and defining sharing permissions using ACL grants.

Add nodeAttrs to enable Taildrive on devices

In order to share directories or access directories shared by other devices, you need to enable Taildrive in the nodeAttrs section of your tailnet policy file. Edit your policy file to make this change.

For example, this policy will enable Taildrive on every member's devices. Every member of your tailnet will be able to share directories from their device and access shared directories.

"nodeAttrs": [
  {
    "target": ["autogroup:member"],
    "attr": [
      "drive:share",
      "drive:access",
    ],
  }
]

This policy enables Taildrive access on all devices, but only allows Taildrive sharing on devices owned by tailnet administrators.

"nodeAttrs": [
  {
    // Any device can access shared directories with Taildrive
    "target": ["*"],
    "attr": ["drive:access"],
  },
  {
    // Only tailnet admins can use Taildrive to share directories
    "target": ["autogroup:admin"],
    "attr": [
      "drive:share",
      "drive:access",
    ],
  }
]

Define sharing permissions

Once Taildrive has been enabled on your devices, you must define specific sharing permissions using ACL grants.

The broadest possible policy allows all devices to access all shares in the tailnet, no matter which user or tag owns the device:

"grants": [
  {
    "src": ["*"],
    "dst": ["*"],
    "app": {
      "tailscale.com/cap/drive": [{
        "shares": ["*"],
        "access": "rw"
      }]
    }
  }
]

You may also choose to allow members to read and write to their own shared directories from any of their devices. A policy to allow this would look like:

"grants": [
  {
    "src": ["autogroup:member"],
    "dst": ["autogroup:self"],
    "app": {
      "tailscale.com/cap/drive": [{
        "shares": ["*"],
        "access": "rw"
      }]
    }
  }
]

You can also limit write access or even define permissions for accessing specific shares. The following policy allows all tailnet members to read files from the company-docs share with the tag fileserver, but does not grant access to any other shared directories besides company-docs and does not allow write access:

Warning: Read-only mode currently permits file deletions. See this issue for details.

"grants": [
  {
    "src": ["autogroup:member"],
    "dst": ["tag:fileserver"],
    "app": {
      "tailscale.com/cap/drive": [{
        "shares": ["company-docs"],
        "access": "ro"
      }]
    }
  }
]

Sharing and accessing folders with Taildrive

Tailscale must be running in order be able to access Taildrive shares at 100.100.100.100:8080.


Share directories with Taildrive

If you're using the MacOS GUI client, you can manage Taildrive sharing through the Settings UI. While Taildrive is in alpha, File Sharing settings are hidden by default. To enable them, run one of the below commands in a terminal.

For applications installed from the App store:

defaults write io.tailscale.ipn.macos FileSharingConfiguration -string show

For applications downloaded from tailscale.com:

defaults write io.tailscale.ipn.macsys FileSharingConfiguration -string show

Once you've enabled the Taildrive settings in the terminal, you will see a File Sharing tab on the Settings screen.

Click on Choose Shared Folders to start managing your shared folders.

To add a new share, click the + (plus) button. Once you select a folder, the share will be automatically named after the selected folder.

You can rename the share by double clicking on its name in the list.

To remove a share, select it in the list and click the (minus) button.

Access directories shared with Taildrive

You can access Taildrive shares by connecting to the Taildrive server at 100.100.100.100:8080.

  1. Open Finder, then select Go from the app menu. Choose Connect to Server. Alternatively, with Finder open, you can use the keyboard shortcut Cmd + K.
  2. In the Server address field, enter http://100.100.100.100:8080 You can add this address to your favorites by clicking the + icon below the Favorite Servers table.
  3. When the Unsecured Connection prompt appears, click Continue. While the connection takes place over HTTP, it is still encrypted in Tailscale's WireGuard tunnels, so your connection is still secure.
  4. Choose Guest in the Connect As: menu and click Connect.

macOS will connect to the Taildrive WebDAV server and show a Finder window with your tailnet name as a folder. Inside that folder, Taildrive will load a folder for each device in your tailnet, and any shares that are active on the devices will appear within those folders.

Limitations

  • Using Taildrive with rclone on client version 1.64.2 or earlier will fail without the --inplace flag. Use version 1.65.75 or later to avoid this.