Admin
-
About WireGuard and 2FA/MFA login
WireGuard® is a modern and fast encrypted networking protocol that offers a number of performance benefits over traditional VPNs and TLS. Among …
-
ACL samples
This article provides sample ACLs for common scenarios. For information about the syntax, see Tailscale policy syntax. Allow all (default ACL) …
-
Auth keys
Pre-authentication keys (“auth keys” for short) let you register new nodes without needing to sign in via a web browser. This is most …
-
Changing user roles
You can change the roles users in your network have to restrict access to the admin console. (To restrict which users and devices can communicate …
-
Connecting to external services with IP block lists via Tailscale
If you’re migrating from a traditional office network or a centralized VPN concentrator, you might find you have external servers that …
-
Custom DERP Servers
Tailscale runs DERP relay servers to help connect your nodes. In addition to or instead of using the Tailscale DERP servers, you can also run …
-
Device authorization
Device authorization is a feature that allows Tailscale network administrators to review and approve new devices before they can join the …
-
DNS in Tailscale
Tailscale provides each device on your network with a unique IP address that stays the same no matter where your devices are. However, IP …
-
Enable two-factor and multi-factor auth (2FA/MFA)
Tailscale relies on your existing identity provider to authenticate users. Any authentication settings from your identity provider are …
-
Enabling HTTPS
Connections between Tailscale nodes are secured with end-to-end encryption. Browsers, web APIs, and products like Visual Studio Code are not …
-
Ephemeral nodes
Ephemeral nodes make it easier to connect and then clean up short-lived devices such as containers, cloud functions, or CI/CD systems that spin …
-
Exit Nodes (route all traffic)
Exit nodes capture all your network traffic, which is often not what you want. To configure Tailscale to only route certain subnets (the more …
-
Filter devices in the admin console
Devices in the machines page of admin console can be filtered to more easily find devices meeting certain criteria. Using a filter In the …
-
How Tailscale assigns IP addresses
Tailscale makes it easy to connect to your network by providing you with a stable IP address for each node (a device or a server). These …
-
Inviting others to your network
Tailscale networks are based on your email address domain name. If you signed up as [email protected], only users with an @example.com email …
-
Kernel vs. Netstack Subnet Routing & Exit Nodes
Tailscale can act as a subnet router or exit node in one of two different modes: kernel mode (root on Linux) userspace mode (all non-Linux …
-
Key Expiry
As a security feature, users need to periodically reauthenticate on each of their devices. The default expiration period depends on your domain …
-
Machine certificates and device management
The mechanism by which nodes can join a domain is enforced by machine certificates. When a new device tries to join the Tailscale network, we …
-
Machine names
On Tailscale, machines are distinguishable by a 100.x.y.z IP address, and by a machine name. The machine name, shown throughout the admin console …
-
MagicDNS
MagicDNS automatically registers DNS names for devices in your network. If you add a new webserver called my-server to your network, you no …
-
Manage client preferences
Admins can manage devices on a network, and restrict which devices can connect using Access Control Lists (ACLs). Individual users still have …
-
Network access controls (ACLs)
Tailscale supports network access control rules, sometimes called ACLs. ACLs let you precisely define what a particular user or device is …
-
Removing and suspending users
You can remove users who should no longer be on your network in the admin console. You can also suspend users to prevent them from using …
-
Server role accounts using ACL tags
Tags let you assign an identity to a device that is separate from human users, and use that identity as part of an ACL to restrict access. This …
-
Sharing your nodes with other users
Sharing lets you give another Tailscale user access to a private device within your network, without exposing it publicly. This can be helpful …
-
Subnet router failover
When using subnet routers in large networks, you may want to provide a failover subnet router (also called a HA subnet router or …
-
Subnet routers and traffic relay nodes
Tailscale works best when the client app is installed directly on every client, server, and VM in your organization. That way, traffic is …
-
Taildrop
Taildrop is a feature that makes it easy to send files between your personal devices on a Tailscale network. Like all traffic sent over …
-
Tailscale API
Tailscale offers an API to let you automate various aspects of your network. You can find documentation for the API on GitHub → Authentication …
-
Tailscale CLI
Tailscale ships with a built-in CLI that you can use to get information about your Tailscale+WireGuard® network and troubleshoot issues. Using …
-
User roles
User roles are Identity & Access Management (IAM) roles used to restrict access to the admin console. To understand and restrict which users …
-
Userspace networking mode (for containers)
Userspace Networking mode allows running Tailscale where you don’t have access to create a VPN tunnel device. This often happens in …
-
Viewing the list of services on your network
Tailscale’s services feature allows you to monitor and easily connect to the services running on machines in your Tailscale network. The …