$linuxjunkies
>

Configure Tailscale on Linux

Install Tailscale on Linux, authenticate devices, enable MagicDNS, configure exit nodes and subnet routes, and set up basic ACLs for access control.

BeginnerUbuntuDebianFedoraArch8 min readUpdated June 7, 2026

Before you start

  • A free Tailscale account at tailscale.com
  • sudo or root access on the Linux machine
  • Outbound internet access (HTTPS and ideally UDP 41641)

Tailscale builds a WireGuard-based mesh VPN that connects your machines without port-forwarding, firewall rules, or a central VPN server you manage yourself. Each device gets a stable IP in the 100.64.0.0/10 range, reachable by name via MagicDNS. This guide walks through installation, authentication, and the most useful features: MagicDNS, exit nodes, subnet routing, and access control lists (ACLs).

Install Tailscale

Debian and Ubuntu

Tailscale ships its own apt repository. The one-line installer script adds the key and repo, then installs the package. Inspect the script at pkgs.tailscale.com before running it if you prefer.

curl -fsSL https://tailscale.com/install.sh | sh

Or add the repository manually:

curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg \
  | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg > /dev/null

curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list \
  | sudo tee /etc/apt/sources.list.d/tailscale.list

sudo apt update && sudo apt install tailscale -y

Fedora / RHEL / Rocky

sudo dnf config-manager --add-repo https://pkgs.tailscale.com/stable/fedora/tailscale.repo
sudo dnf install tailscale -y

Arch Linux

sudo pacman -S tailscale

Enable and Start the Daemon

Tailscale runs as a systemd service. Enable it so it starts on boot, then bring it up now.

sudo systemctl enable --now tailscaled

Verify it is running:

sudo systemctl status tailscaled

You should see active (running) in the output.

Authenticate the Machine

Run tailscale up to connect. It will print an authentication URL.

sudo tailscale up

Open the URL in a browser, log in with your identity provider (Google, GitHub, Microsoft, or email), and approve the device in the Tailscale admin console. The terminal will unblock automatically once you authenticate.

For headless servers where no browser is available, you can generate a reusable or ephemeral auth key in the admin console under Settings → Keys, then pass it directly:

sudo tailscale up --authkey=tskey-auth-XXXXXXXXXXXXXXXX

Confirm the device received its Tailscale IP:

tailscale ip -4

Output will be a single address in the 100.64.x.x range.

MagicDNS

MagicDNS lets you reach any machine in your tailnet by its short hostname instead of its 100.x address. Enable it in the admin console under DNS → MagicDNS. No per-machine configuration is required; Tailscale injects a DNS resolver at the OS level automatically.

Once enabled, test it:

ping my-server-hostname

If you have a custom domain configured (e.g. tail12345.ts.net), fully-qualified names like my-server.tail12345.ts.net also resolve. You can add split DNS entries in the admin console to forward internal domain lookups to your own nameservers while still using MagicDNS for tailnet names.

Exit Nodes

An exit node routes all internet-bound traffic from other tailnet devices through itself — useful for securing traffic on untrusted Wi-Fi or accessing geo-restricted content via a VPS.

sudo tailscale up --advertise-exit-node

Linux also requires IP forwarding. Add it permanently:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Then approve the exit node in the admin console: find the machine under Machines, click the three-dot menu, and select Edit route settings → Use as exit node.

Use an exit node on another machine

sudo tailscale up --exit-node=my-server-hostname

To stop using the exit node:

sudo tailscale up --exit-node=

Subnet Routes

Subnet routing lets non-Tailscale devices on a LAN be reachable by other tailnet members through a Linux machine acting as a relay. This is ideal for accessing a home or office network remotely without installing Tailscale on every device.

IP forwarding must be enabled (see the exit node section above). Then advertise your local subnet:

sudo tailscale up --advertise-routes=192.168.1.0/24

Approve the routes in the admin console under the machine's Edit route settings panel. Without approval, routes are advertised but not active.

Accept subnet routes on client machines

By default other tailnet machines do not automatically accept advertised routes. Enable route acceptance:

sudo tailscale up --accept-routes

You can combine flags. For example, to authenticate, accept routes, and use a specific exit node all at once:

sudo tailscale up --accept-routes --exit-node=my-exit-node

ACL Basics

Tailscale ACLs (access control lists) are defined in the admin console under Access Controls using a JSON-like policy file called HuJSON (it allows comments). By default, the policy allows all devices to reach all other devices — fine for personal use, but too permissive for teams.

A minimal example that restricts access so only tagged servers accept SSH from personal devices:

// Example ACL — edit in the admin console, not locally
{
  "tagOwners": {
    "tag:server": ["autogroup:admin"],
    "tag:personal": ["autogroup:member"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["tag:personal"],
      "dst": ["tag:server:22"]
    }
  ]
}

Assign tags to machines in the admin console or with an auth key (--advertise-tags=tag:server). Changes take effect within seconds; no daemon restart is needed.

Verify Your Setup

Check overall status, including peers and their reachability:

tailscale status

Run a connectivity ping to confirm direct (not relayed) paths to a peer:

tailscale ping my-other-machine

A direct connection shows pong from ... via ... (direct). A relayed connection shows via DERP — this often resolves to direct after a few seconds but can stay relayed if both machines are behind strict NAT.

Inspect the local interface details, including the assigned IP and active features:

tailscale debug netmap 2>/dev/null | head -40

Troubleshooting

  • Stuck on authentication: Run sudo tailscale logout, then sudo tailscale up again to get a fresh auth URL.
  • MagicDNS not resolving: Check that systemd-resolved is running (systemctl status systemd-resolved). On systems using /etc/resolv.conf directly, Tailscale may not be able to inject its resolver — check tailscale status --json | jq .MagicDNSSuffix.
  • Subnet routes not working: Confirm IP forwarding is active (sysctl net.ipv4.ip_forward should return 1) and the routes are approved in the admin console.
  • Always relayed (DERP), never direct: Both ends may be behind symmetric NAT. This is a network constraint; traffic still flows, just with slightly higher latency. Hosting an exit node or subnet router on a VPS with a public IP helps avoid this.
  • Service log: sudo journalctl -u tailscaled -n 50 --no-pager is the fastest way to diagnose daemon errors.
tested on:Ubuntu 24.04Debian 12Fedora 40Arch rolling

Frequently asked questions

Does Tailscale work alongside an existing firewall like nftables or firewalld?
Yes. Tailscale manages its own WireGuard interface (tailscale0) and does not replace your firewall. Ensure your firewall allows traffic on UDP port 41641 outbound for direct connections; DERP relay traffic uses HTTPS (443) as a fallback, so it works even if 41641 is blocked.
What is the difference between an exit node and a subnet router?
An exit node routes all internet-bound traffic from a client through itself, masking the client's IP. A subnet router only advertises specific LAN subnets, letting tailnet members reach local devices without routing general internet traffic through the relay.
Can I run Tailscale on a machine without a GUI or browser?
Yes. Generate a reusable or ephemeral auth key in the admin console and pass it with `tailscale up --authkey=tskey-auth-...`. No browser interaction is needed on the server.
Will Tailscale survive a reboot automatically?
Once authenticated, Tailscale stores credentials locally and reconnects on startup as long as the tailscaled service is enabled. You only need to re-authenticate if you log out or if the key expires.
How do I remove a machine from my tailnet?
Run `sudo tailscale logout` on the machine to deregister it, then delete it from the admin console under Machines. The machine's 100.x IP is released and becomes unavailable to other peers immediately.

Related guides