Get started
Login
© 2024

Taildrive

Taildrive allows you to persistently share folders with other users and devices on your Tailscale network (known as a tailnet). Using Taildrive, you could:

  • Share folders with your colleagues.
  • Access files from your desktop PC or NAS server from your phone, anywhere in the world.
  • Connect a backup utility, like Duplicati or rclone, to a Taildrive folder on your NAS.
Taildrive is currently in alpha. To try it, follow the steps below to enable it for your network using Tailscale 1.64.0 or later.

How it works

Normally, maintaining a file server requires you to manage credentials and access rules separately from the connectivity layer. Taildrive offers a file server that unifies connectivity and access controls, allowing you to share directories directly from the Tailscale client. You can then use your tailnet policy file to define which members of your tailnet can access a particular shared directory, and even define specific read and write permissions.

Beginning in version 1.64.0, the Tailscale client includes a WebDAV server that runs on 100.100.100.100:8080 while Tailscale is connected. Every directory that you share receives a globally-unique path consisting of the tailnet, the machine name, and the share name: /tailnet/machine/share.

For example, if you shared a directory with the share name docs from the machine mylaptop in the tailnet mydomain.com, the share's path would be /mydomain.com/mylaptop/docs.

Configure Taildrive

Taildrive's server component is only available on Linux, macOS, and Windows devices. iOS and Android devices can access directories shared from these platforms, but cannot share directories themselves.

Enable Taildrive in the policy file

You need to be an Owner, Admin, or Network admin to edit the tailnet policy file. Enabling Taildrive requires two steps: Enabling Taildrive on devices by setting a nodeAttr, and defining sharing permissions using grants.

Add nodeAttrs to enable Taildrive on devices

In order to share directories or access directories shared by other devices, you need to enable Taildrive in the nodeAttrs section of your tailnet policy file. Edit your policy file to make this change.

For example, this policy will enable Taildrive on every member's devices. Every member of your tailnet will be able to share directories from their device and access shared directories.

"nodeAttrs": [
  {
    "target": ["autogroup:member"],
    "attr": [
      "drive:share",
      "drive:access",
    ],
  }
]

This policy enables Taildrive access on all devices, but only allows Taildrive sharing on devices owned by tailnet administrators.

"nodeAttrs": [
  {
    // Any device can access shared directories with Taildrive
    "target": ["*"],
    "attr": ["drive:access"],
  },
  {
    // Only tailnet admins can use Taildrive to share directories
    "target": ["autogroup:admin"],
    "attr": [
      "drive:share",
      "drive:access",
    ],
  }
]

Define sharing permissions

Once Taildrive has been enabled on your devices, you must define specific sharing permissions using grants.

The broadest possible policy allows all devices to access all shares in the tailnet, no matter which user or tag owns the device:

"grants": [
  {
    "src": ["*"],
    "dst": ["*"],
    "app": {
      "tailscale.com/cap/drive": [{
        "shares": ["*"],
        "access": "rw"
      }]
    }
  }
]

You may also choose to allow members to read and write to their own shared directories from any of their devices. A policy to allow this would look like:

"grants": [
  {
    "src": ["autogroup:member"],
    "dst": ["autogroup:self"],
    "app": {
      "tailscale.com/cap/drive": [{
        "shares": ["*"],
        "access": "rw"
      }]
    }
  }
]

You can also limit write access or even define permissions for accessing specific shares. The following policy allows all tailnet members to read files from the company-docs share with the tag fileserver, but does not grant access to any other shared directories besides company-docs and does not allow write access:

"grants": [
  {
    "src": ["autogroup:member"],
    "dst": ["tag:fileserver"],
    "app": {
      "tailscale.com/cap/drive": [{
        "shares": ["company-docs"],
        "access": "ro"
      }]
    }
  }
]

Sharing and accessing folders with Taildrive

Tailscale must be running in order be able to access Taildrive shares at 100.100.100.100:8080.


Share directories with Taildrive

Taildrive sharing is not compatible with DSM 6. You must use DSM 7 on your Synology NAS to share directories. Any version of DSM can view shared Taildrive directories.

Before you can use the tailscale drive share CLI command to share a directory on a Synology NAS, you must give Tailscale permission to read and write inside your Synology volume.

To share directories from a Synology device running DSM 7, you need to edit the permissions of the top-level Shared Folder in your volume.

  1. Access the Synology web interface and sign in.
  2. Open the Control Panel.
  3. Select Shared Folder under the File Sharing section.
  4. Select the Shared Folder that you wish to be able to share with Taildrive.
  5. Select Edit in the Control Panel task bar.
  6. Select the Permissions tab.
  7. Select System internal user from the dropdown menu.
  8. Find tailscale in the table.
  9. Check the Read/Write box in that row.
  10. Select Save.
  11. Repeat these steps for any other Shared Folders in your Synology volumes that you want to use with Taildrive.

This allows any sub-directory of that shared folder to be shared with your tailnet by Taildrive. Use the CLI command above to share specific folders.

Using the Tailscale command-line interface (CLI), run the following command to share a directory via Taildrive. Replace <share-name> and <path> with your own values.

tailscale drive share <share-name> <path>
  • share-name: A name for the share that will be used in the Taildrive path. It does not need to be identical to the directory name. Share names may only contain the lowercase letters a-z, underscores _, parentheses (), or spaces. Leading and trailing spaces are omitted. Lowercase letters are required to avoid problems with clients that don't support case-sensitive file names.
  • path: The file system path to the directory that you wish to share.

Rename Taildrive shares

To rename an existing Taildrive share, run the following command. Replace <old-share-name> with the share name you want to rename, and <new-share-name> with its intended new name.

tailscale drive rename <old-share-name> <new-share-name>

Once you rename the share, users with the proper access can immediately access the share by using the new name.

Delete Taildrive shares

To delete an existing Taildrive share, run the following command. Replace <share-name> with the share you want to delete.

tailscale drive unshare <share-name>

List existing Taildrive shares

To list all existing Taildrive shares that are shared from a device, run the following CLI command on that device:

tailscale drive list

Tailscale will return a list of the directories on the device which are shared, along with their share name and the local user whose permissions have been used to share the folder.

$ tailscale drive list

name      path                      as
------    ----------------------    ----
nas       /media/data-A/nas-data    root
docs      /pi/docs                  root
backup    /pi/system-backups        root

Access directories shared with Taildrive

These steps will work with any Synology device running DSM 6 or DSM 7. Remember, DSM 6 devices can access shared directories over Taildrive, but cannot share directories themselves.

  1. Access the Synology web interface and sign in.
  2. Open the File Station application.
  3. Select the Tools dropdown from the task bar.
  4. Select Remote Connection and then select Connection Setup.
  5. Choose WebDAV / WebDAV HTTPS from the list of connection options.
  6. Enter 100.100.100.100 in the Hostname or IP field.
  7. Enter 8080 in the Port field.
  8. Leave the Account Name and Password blank. No credentials are needed, since Taildrive uses your Tailscale identity to determine your permissions.
  9. Ensure Codepage is set to Unicode (UTF-8).
  10. Optionally, add a Profile Name. This allows you to nickname the connection.
  11. Select Apply.

Synology will display this connection in the left sidebar of the File Station application, under the WebDAV heading. Selecting the connection will show your tailnet name as a folder. Inside that folder, Taildrive will load a folder for each device in your tailnet, and any shares that are active on the devices will appear within those folders.

Limitations

  • A device shared into your tailnet cannot access any Taildrive folders in your tailnet. Similarly, a device you share to another tailnet cannot access any Taildrive folders in the other tailnet
  • Using Taildrive with rclone on client version 1.64.2 or earlier will fail without the --inplace flag. Use version 1.65.75 or later to avoid this.

Last updated Oct 22, 2024