Get started
© 2024

Inviting users vs sharing a machine

Tailscale offers two ways to share access to your machine and services:

Both options have pros and cons, and each works best for certain scenarios. Review the following sections to learn more about each option.

Inviting a user

You can share access to the machines and resources in your tailnet by inviting another user. An invited user can access any machine or service in your tailnet by default. You can control what they can access using access controls. For example, you could invite a user and restrict their access to a few machines.

When inviting someone, you must choose their role. The role you choose determines what they can and cannot do within your tailnet. For example, you could make them a Member and allow them to access machines and services (as specified by ACLs) but not the admin console.

You might want to invite a user when:

  • You want to share more than one machine, especially if you want them to have access to new machines as they get added to your tailnet.
  • You want to change what they have access to over time without having to share and revoke access to individual machines each time.
  • You want to give them access to features in your tailnet (like Taildrop).
  • You need to share devices that are accessible via a subnet router.
  • You want the machine to both send and receive data to and from the invited user's machines.
  • The other user doesn't need to be connected to another tailnet while accessing your machine.
Learn how to invite a user to your tailnet →

Sharing a machine

You can share a machine with people outside your tailnet without exposing it to the public internet. After you share a machine with another Tailscale user, the machine appears in their tailnet like any other machine, including on the Machines page in the admin console. Only the people you shared the machine with will be able to see it, even if they are in the same tailnet.

Note that both your tailnet and theirs must have access controls that allow connections to the shared machine. The default tailnet policy file will allow this, but if either tailnet has a custom policy file, you'll need to ensure it grants access to the shared machine.

You might want to share a machine when:

  • You want to share a fixed number of machines (one or a few), and you don't expect that to change soon.
  • The other user needs to be connected to another tailnet while accessing the shared machine.
  • You don't need to give access to a subnet. You can still share a machine that is a subnet router, but the other user won't be able to access anything inside the subnet it exposes.
  • You don't need the shared machine to be able to send data to the machines in the other user's tailnet.
  • You don't want to increase the number of users in your tailnet.
Learn how to share a machine →