Configure Tailscale on Linux
Install Tailscale on Linux, authenticate devices, enable MagicDNS, configure exit nodes and subnet routes, and set up basic ACLs for access control.
Before you start
- ▸A free Tailscale account at tailscale.com
- ▸sudo or root access on the Linux machine
- ▸Outbound internet access (HTTPS and ideally UDP 41641)
Tailscale builds a WireGuard-based mesh VPN that connects your machines without port-forwarding, firewall rules, or a central VPN server you manage yourself. Each device gets a stable IP in the 100.64.0.0/10 range, reachable by name via MagicDNS. This guide walks through installation, authentication, and the most useful features: MagicDNS, exit nodes, subnet routing, and access control lists (ACLs).
Install Tailscale
Debian and Ubuntu
Tailscale ships its own apt repository. The one-line installer script adds the key and repo, then installs the package. Inspect the script at pkgs.tailscale.com before running it if you prefer.
curl -fsSL https://tailscale.com/install.sh | sh
Or add the repository manually:
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg \
| sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg > /dev/null
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list \
| sudo tee /etc/apt/sources.list.d/tailscale.list
sudo apt update && sudo apt install tailscale -y
Fedora / RHEL / Rocky
sudo dnf config-manager --add-repo https://pkgs.tailscale.com/stable/fedora/tailscale.repo
sudo dnf install tailscale -y
Arch Linux
sudo pacman -S tailscale
Enable and Start the Daemon
Tailscale runs as a systemd service. Enable it so it starts on boot, then bring it up now.
sudo systemctl enable --now tailscaled
Verify it is running:
sudo systemctl status tailscaled
You should see active (running) in the output.
Authenticate the Machine
Run tailscale up to connect. It will print an authentication URL.
sudo tailscale up
Open the URL in a browser, log in with your identity provider (Google, GitHub, Microsoft, or email), and approve the device in the Tailscale admin console. The terminal will unblock automatically once you authenticate.
For headless servers where no browser is available, you can generate a reusable or ephemeral auth key in the admin console under Settings → Keys, then pass it directly:
sudo tailscale up --authkey=tskey-auth-XXXXXXXXXXXXXXXX
Confirm the device received its Tailscale IP:
tailscale ip -4
Output will be a single address in the 100.64.x.x range.
MagicDNS
MagicDNS lets you reach any machine in your tailnet by its short hostname instead of its 100.x address. Enable it in the admin console under DNS → MagicDNS. No per-machine configuration is required; Tailscale injects a DNS resolver at the OS level automatically.
Once enabled, test it:
ping my-server-hostname
If you have a custom domain configured (e.g. tail12345.ts.net), fully-qualified names like my-server.tail12345.ts.net also resolve. You can add split DNS entries in the admin console to forward internal domain lookups to your own nameservers while still using MagicDNS for tailnet names.
Exit Nodes
An exit node routes all internet-bound traffic from other tailnet devices through itself — useful for securing traffic on untrusted Wi-Fi or accessing geo-restricted content via a VPS.
Advertise as an exit node
sudo tailscale up --advertise-exit-node
Linux also requires IP forwarding. Add it permanently:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
Then approve the exit node in the admin console: find the machine under Machines, click the three-dot menu, and select Edit route settings → Use as exit node.
Use an exit node on another machine
sudo tailscale up --exit-node=my-server-hostname
To stop using the exit node:
sudo tailscale up --exit-node=
Subnet Routes
Subnet routing lets non-Tailscale devices on a LAN be reachable by other tailnet members through a Linux machine acting as a relay. This is ideal for accessing a home or office network remotely without installing Tailscale on every device.
Advertise a subnet
IP forwarding must be enabled (see the exit node section above). Then advertise your local subnet:
sudo tailscale up --advertise-routes=192.168.1.0/24
Approve the routes in the admin console under the machine's Edit route settings panel. Without approval, routes are advertised but not active.
Accept subnet routes on client machines
By default other tailnet machines do not automatically accept advertised routes. Enable route acceptance:
sudo tailscale up --accept-routes
You can combine flags. For example, to authenticate, accept routes, and use a specific exit node all at once:
sudo tailscale up --accept-routes --exit-node=my-exit-node
ACL Basics
Tailscale ACLs (access control lists) are defined in the admin console under Access Controls using a JSON-like policy file called HuJSON (it allows comments). By default, the policy allows all devices to reach all other devices — fine for personal use, but too permissive for teams.
A minimal example that restricts access so only tagged servers accept SSH from personal devices:
// Example ACL — edit in the admin console, not locally
{
"tagOwners": {
"tag:server": ["autogroup:admin"],
"tag:personal": ["autogroup:member"]
},
"acls": [
{
"action": "accept",
"src": ["tag:personal"],
"dst": ["tag:server:22"]
}
]
}
Assign tags to machines in the admin console or with an auth key (--advertise-tags=tag:server). Changes take effect within seconds; no daemon restart is needed.
Verify Your Setup
Check overall status, including peers and their reachability:
tailscale status
Run a connectivity ping to confirm direct (not relayed) paths to a peer:
tailscale ping my-other-machine
A direct connection shows pong from ... via ... (direct). A relayed connection shows via DERP — this often resolves to direct after a few seconds but can stay relayed if both machines are behind strict NAT.
Inspect the local interface details, including the assigned IP and active features:
tailscale debug netmap 2>/dev/null | head -40
Troubleshooting
- Stuck on authentication: Run
sudo tailscale logout, thensudo tailscale upagain to get a fresh auth URL. - MagicDNS not resolving: Check that systemd-resolved is running (
systemctl status systemd-resolved). On systems using/etc/resolv.confdirectly, Tailscale may not be able to inject its resolver — checktailscale status --json | jq .MagicDNSSuffix. - Subnet routes not working: Confirm IP forwarding is active (
sysctl net.ipv4.ip_forwardshould return1) and the routes are approved in the admin console. - Always relayed (DERP), never direct: Both ends may be behind symmetric NAT. This is a network constraint; traffic still flows, just with slightly higher latency. Hosting an exit node or subnet router on a VPS with a public IP helps avoid this.
- Service log:
sudo journalctl -u tailscaled -n 50 --no-pageris the fastest way to diagnose daemon errors.
Frequently asked questions
- Does Tailscale work alongside an existing firewall like nftables or firewalld?
- Yes. Tailscale manages its own WireGuard interface (tailscale0) and does not replace your firewall. Ensure your firewall allows traffic on UDP port 41641 outbound for direct connections; DERP relay traffic uses HTTPS (443) as a fallback, so it works even if 41641 is blocked.
- What is the difference between an exit node and a subnet router?
- An exit node routes all internet-bound traffic from a client through itself, masking the client's IP. A subnet router only advertises specific LAN subnets, letting tailnet members reach local devices without routing general internet traffic through the relay.
- Can I run Tailscale on a machine without a GUI or browser?
- Yes. Generate a reusable or ephemeral auth key in the admin console and pass it with `tailscale up --authkey=tskey-auth-...`. No browser interaction is needed on the server.
- Will Tailscale survive a reboot automatically?
- Once authenticated, Tailscale stores credentials locally and reconnects on startup as long as the tailscaled service is enabled. You only need to re-authenticate if you log out or if the key expires.
- How do I remove a machine from my tailnet?
- Run `sudo tailscale logout` on the machine to deregister it, then delete it from the admin console under Machines. The machine's 100.x IP is released and becomes unavailable to other peers immediately.
Related guides
Build a Mesh VPN with Nebula
Build a fully self-hosted mesh VPN with Nebula: create a CA, sign node certs, configure lighthouses, enforce group-based firewall rules, and run as a systemd service.
Common Linux Network Ports Reference
Learn Linux port ranges, read /etc/services, find what's listening with ss and nmap, and apply solid firewall rules to expose or block the right ports.
How to Configure a Static IP on Linux
Configure a static IP on Linux using Netplan, NetworkManager (nmcli), or systemd-networkd across Ubuntu, Fedora, Debian, and Arch with verified steps.
Expose a Service with Cloudflare Tunnel
Expose local services to the internet without port-forwarding using Cloudflare Tunnel. Install cloudflared, create a named tunnel, configure ingress rules, and run as a systemd service.