Latest revision as of 09:00, 9 April 2026

Installing Tailscale

Linux

Distros With a Package Manager

To download the package via the terminal, run the following:

curl -fsSL https://tailscale.com/install.sh | sh

Once it's downloaded, initialize Tailscale client via:

sudo tailscale up

This should provide some output to the terminal, including a URL you can use to authenticate via a handful of sign-in options from Google, Microsoft, Github, etc.

Once authenticated, the host should appear in your Machines page on the Admin console within your TailNet (Tailscale Network).

Distros/Clients Without a Package Manager

MOST PEOPLE SHOULD BE USING THE ABOVE METHOD AND NOT THIS ONE

But if your distro/client does not have a package manager or are more obscure distributions, you can download the version for your system from here.

Extract the downloaded archive:

tar xvf tailscale_*.tgz

Start the downloaded daemon (tailscaled) via:

sudo tailscaled --state=tailscaled.state

And then to start the client and connect the machine to your tailnet:

sudo tailscale up

This should provide some output to the terminal, including a URL you can use to authenticate via a handful of sign-in options from Google, Microsoft, Github, etc.

Once authenticated, the host should appear in your Machines page on the Admin console within your TailNet (Tailscale Network)

Access Controls

Access Controls (ACLs) are managed via the GUI builder or the editable JSON file accessible, both from within the admin console. Tailscale's documentation for this is great, so be sure to see their examples page for reference.

Tailscale SSH is also not configured by default and needs to be enabled on a host by host basis and then permitted in the ACL file from the admin console.

Users

User Roles

More information regarding user roles can be found here.

Groups

Normal Groups

These are groups that are manually created and specified in the Admin console and/or in the ACL JSON file.

To create a group in the ACL file:

"groups": {
    "group:GROUP_NAME": ["USER1", "USER2", "USER3"],
},

i.e.

"groups": {
    "group:developers": ["Bob@example.com", "Janet@example.com", "Steven@example.com"],
},

Autogroups

"An autogroup is a type of built-in target that automatically groups devices, users, or IP addresses based on specific criteria. They let you select dynamic sets of users, devices, or routes that might be challenging or even impossible to select by other means." Source and Breakdown of Autogroups

Commonly Used Autogroups

autogroup:self -- All the devices that are owned by same user

autogroup:member -- All the members of the tailnet

autogroup:owner -- All the members with the Owner role, which is the default role the account holder has

Examples

By default, Tailscale operates under a least privilege architecture, but has an allow all permissions structure in place to facilitate connecting between the nodes.

Default

This initial, permit-all, ACL looks like this:

{
  "grants": [
    {
      "src": ["*"],
      "dst": ["*"],
      "ip": ["*"]
    }
  ]
}

Owners' Devices Only

To allow individuals to access the devices that are owned by themselves in the TailNet:

{
  "grants": [
    {
      "src": ["autogroup:member"],
      "dst": ["autogroup:self"],
      "ip": ["*"]
    }
  ]
}

Tailscale SSH

To enable SSH on a particular host, that you're currently logged into:

sudo tailscale set --ssh

This should almost immediately reflect on the Admin console as well with an SSH label.

Connecting Via Tailscale SSH

To connect to a host that is already configured for SSH and that has the ACL configuration for SSH already in place, looks like this:

tailscale ssh USER@MACHINE_NAME

ACL Configuration

By default, all the hosts on your tailnet can access all the other hosts, they're "granted" this permission via the ACL in the Admin console. To allow for hosts to connect to other hosts, even by SSH, they neeed to be "granted" permission to connect whatsoever.

i.e. If HostA and HostB are not granted permission to connect, they cannot SSH from either to the other.

To restrict which users/hosts can access other hosts (via SSH specifically), the ACL needs to be updated.

Restricting SSH Via Users

To restrict SSH access to the machines using users, it would look something like this:

"ssh": [
    {
      "action": "accept", // No re-authentication required when connecting after a time
      "src": ["janedoe@example.com"], 
      "dst": ["production-db"],
      "users": ["administrator"]
    },
],

This restricts access to the 'production-db' machine to only 'janedoe@example.com', and they would NOT need to re-authenticate when connecting.

Restricting SSH Via Groups

This would restrict SSH access to the 'servers' group to only the 'admin' group, using any username (that exists on the destination machines), with the 'check' mode enabled:

"ssh": [
    {
	"action": "check", // Check mode requires re-authentication when connecting after a time
	"src":    ["group:admin"],
	"dst":    ["group:servers"],
	"users":  ["*"], // Refers to LOCAL usernames on the DESTINATION machine
    },
],

Restricting SSH Via Tags

To restrict access to machines with a particular tag to devices with another tag, it would look like this:

"ssh": [
    {
        "action": "accept",
        "src": ["tag:developers"],
        "dst": ["tag:dev-servers"],
        "users": ["*"]
    },
],

Taildrop (File Sharing Over Tailscale)

As of writing, this feature is in pre-1.0, but allows for the encrypted transfer of files via the nodes in your tailnet.

Sending Files

To send files using Taildrop:

tailscale file cp FILE_NAME(S) TARGET_HOSTNAME:
NOTE: the ':' trailing at the end of the line is intentional and should be appended to the desired hostname.

i.e.

If you wanted to copy a file (./accounting/2026/budget-report.xlsx) from the localhost to a file server on your tailnet (finance-archive-server):

tailscale file cp ./accounting/2026/budget-report.xlsx finance-archive-server:

Receiving Files

To receive files from the tailnet, you would use the command:

sudo tailscale file get /path/to/desired/file/destination/

Files are (as of writing) received as root, because the assocated daemon process is running as root, therefore 'sudo' is required for this command to function.

Disable Logging

PLEASE READ THIS CAREFULLY BEFORE PROCEEDING TO FOLLOW THE COMMANDS, PERFORMING THESE ACTIONS MAY IMPACT YOUR ABILITY TO RECEIVE SUPPORT (IF NEEDED) FROM TAILSCALE

Tailscale is configured by default to send logs and diagnostic data regarding connectivity to Tailscale servers (not your servers, their servers) to assist in troubleshooting issues. You may disable this functionality at the cost of potentially being unable to receive support from Tailscale.

To do so, add:

TS_NO_LOGS_NO_SUPPORT=true

To the file located here:

/etc/default/tailscaled

Or using the command:

sudo tailscale set --no-logs-no-support

Additional Resources

Tailscale Documentation

@@ Line 1: / Line 1: @@
 = Installing Tailscale =
 == Linux ==
@@ Line 31: / Line 33: @@
 Once authenticated, the host should appear in your Machines page on the Admin console within your TailNet (Tailscale Network)
@@ Line 38: / Line 41: @@
 [[Tailscale#Tailscale_SSH|Tailscale SSH]] is also not configured by default and needs to be enabled on a host by host basis and then permitted in the ACL file from the admin console.
 == Users ==
 === User Roles ===
 More information regarding user roles can be found [https://tailscale.com/docs/reference/user-roles here.]
 == Groups ==
@@ Line 60: / Line 66: @@
 === Autogroups ===
+"An autogroup is a type of built-in target that automatically groups devices, users, or IP addresses based on specific criteria. They let you select dynamic sets of users, devices, or routes that might be challenging or even impossible to select by other means." [https://tailscale.com/docs/reference/targets-and-selectors?q=autogroups Source] and [https://tailscale.com/docs/reference/syntax/policy-file#autogroups Breakdown of Autogroups]
+==== Commonly Used Autogroups ====
+autogroup:self -- All the devices that are owned by same user
+autogroup:member -- All the members of the tailnet
+autogroup:owner -- All the members with the Owner role, which is the default role the account holder has
 == Tags ==
+Tags can be created manually within the Admin console or via the command line from the machines on the tailnet (with approval from the Admin console).
+Tags are applied to various machines to label them as a service, an operating system, etc.
+i.e. Applying the 'Prod' tag to all the production machines and 'Dev' tag to development machines, or 'Local'/'Cloud' for machines that are located locally or in the cloud.
+=== Admin Console ===
+To create tags from the Admin console, you can find the GUI editor under 'Access Controls'>'Visual Editor'>'Tags' using the 'Create Tag' button and filling out the provided form.
+Tags can also be created in the Admin console from directly within the ACL file like so:
+ <nowiki>
+"tagOwners": {
+    // Description of the tag below this line
+    "tag:TAG_NAME": ["OWNER OF THIS TAG"], // The owner can be a user, a group, an autogroup, etc
+}
+</nowiki>
+i.e.
+ <nowiki>
+"tagOwners": {
+    // Tag for machines in the production environment
+    "tag:prod": ["group:production"],
+}</nowiki>
+This would create the tag 'prod' that is owned by the 'production' group.
+=== Command Line ===
+To submit tags to the Admin console for approval (from the Owner/Admin) from the command line of a machine:
+ <nowiki>sudo tailscale up --advertise-tags=tag:TAG_NAME,tag:TAG_NAME_2</nowiki>
+Then these tag(s) would need to be approved from within the Admin console before they are created/applied to the machine.
@@ Line 92: / Line 140: @@
 }
 </nowiki>
 = Tailscale SSH =
@@ Line 97: / Line 147: @@
   <nowiki>sudo tailscale set --ssh</nowiki>
 This should almost immediately reflect on the Admin console as well with an SSH label.
 == Connecting Via Tailscale SSH ==
 To connect to a host that is already configured for SSH and that has the ACL configuration for SSH already in place, looks like this:
   <nowiki>tailscale ssh USER@MACHINE_NAME</nowiki>
 == ACL Configuration ==
@@ Line 108: / Line 162: @@
 To restrict which users/hosts can access other hosts (via SSH specifically), the ACL needs to be updated.
 === Restricting SSH Via Users ===
@@ Line 121: / Line 176: @@
 ],</nowiki>
 This restricts access to the 'production-db' machine to only 'janedoe@example.com', and they would NOT need to re-authenticate when connecting.
 === Restricting SSH Via Groups ===
@@ Line 132: / Line 188: @@
      },
 ],</nowiki>
 === Restricting SSH Via Tags ===
@@ Line 144: / Line 201: @@
      },
 ],</nowiki>
+= Taildrop (File Sharing Over Tailscale)=
+As of writing, this feature is in pre-1.0, but allows for the encrypted transfer of files via the nodes in your tailnet.
+== Sending Files ==
+To send files using Taildrop:
+ <nowiki>tailscale file cp FILE_NAME(S) TARGET_HOSTNAME:
+NOTE: the ':' trailing at the end of the line is intentional and should be appended to the desired hostname.</nowiki>
+i.e.
+If you wanted to copy a file (./accounting/2026/budget-report.xlsx) from the localhost to a file server on your tailnet (finance-archive-server):
+ <nowiki>tailscale file cp ./accounting/2026/budget-report.xlsx finance-archive-server:</nowiki>
+== Receiving Files ==
+To receive files from the tailnet, you would use the command:
+ <nowiki>sudo tailscale file get /path/to/desired/file/destination/</nowiki>
+Files are (as of writing) received as root, because the assocated daemon process is running as root, therefore 'sudo' is required for this command to function.
 = Disable Logging =
@@ Line 157: / Line 238: @@
 Or using the command:
   <nowiki>sudo tailscale set --no-logs-no-support</nowiki>

Difference between revisions of "Tailscale"