Connect to devices
Tailscale automatically assigns each device on your network a unique Tailscale IP address and MagicDNS name so that you can establish stable connections between devices anywhere in the world, even if they're behind a firewall or change networks. This guide covers connecting to devices in your tailnet after you've installed Tailscale on two or more devices.
Before learning about the connection process, it's crucial to understand that Tailscale provides network connectivity between devices, but you must run a specific service (like SSH or a web server) on the destination device. Tailscale does not provide these services automatically.
Prerequisites
- Tailscale installed on at least two devices.
- Access control rules that allow the devices to connect. If you're using the default ACL rules, all connections will be allowed between any device in your tailnet.
- At least one service running on one of the devices.
Connect to devices in your tailnet
To connect to another device in your tailnet:
- Identify the device to connect to.
- Make sure the device is running a service you can access.
- Connect to the service.
Identify your devices
Open the Machines page of the admin console. You'll find a list of all devices in your tailnet, along with their hostnames (device names) and Tailscale IP addresses.
Ensure services are running
Remember, you can only connect to services running on your devices. Common services include:
- SSH (usually on port
22)
You can also use Tailscale SSH. - Web servers (often on port
80or443) - File sharing services (such as SFTP)
- Remote access tools (such as RDP)
Ensure the service you want to access runs on the target device. You can do so by checking the Services page of the admin console, or by confirming the service is running on the destination device.
Connect to a service
Tailscale offers a feature called MagicDNS, which allows you to use device names instead of Tailscale IP addresses. It's enabled by default, so you can use it right away.
To connect to a service on a device in your tailnet:
- Use the device name or Tailscale IP address of the target device.
- Specify the port of the service you're trying to access.
For example, if you want to SSH into a device with the MagicDNS name dev-build-server, you can use the following command in a terminal emulator:
ssh username@dev-build-server
Visit the following topics to learn more about connecting to different types of services:
- Connect to a database.
- Connect to a Windows server using RDP.
- Connect to a cloud server.
- Connect to a remote development environment.
- Connect to a network attached storage (NAS).
Troubleshooting
If you can't connect to a service:
- Check if you can reach the device using
tailscale ping. - Verify that you're using the correct connection information.
- Ensure the service is running on the target device at the expected port number.
- Check if any firewalls (including the built-in firewall on the target device) are blocking the connection.
- Ensure that your tailnet policy file doesn’t contain any grants or ACLs that prevent a connection between the two devices.
- Visit troubleshooting device connectivity.
Advanced topics
The following sections cover other ways you can manage connections to devices in your tailnet.
Access control
When you create a tailnet, Tailscale automatically applies a default access control policy that allows you to connect to all devices you own. You can customize access control policies (such as ACLs or grants) in the tailnet policy file to create policies that control how devices on your tailnet connect to each other and other devices on the internet.
Tailscale SSH
Tailscale offers a built-in SSH feature that extends and simplifies SSH connections between your devices. When enabled, Tailscale SSH manages the authentication and authorization of SSH connections on your tailnet, letting you add additional security checks and providing a web console interface.
Sharing devices
You can share devices or specific services with other Tailscale users, allowing collaboration while maintaining security.
Routing
You can configure a device to route outbound traffic by running it as an exit node or inbound traffic by running it as a subnet router. Using a device as a subnet router lets you access devices without installing the Tailscale client.