CLI Reference¶
Overview¶
The tailscale CLI provides complete control over Tailscale:
Connection Commands¶
tailscale up¶
Connect to Tailscale network:
Flags:
| Flag | Description |
|---|---|
--accept-dns | Accept DNS configuration from admin |
--accept-routes | Accept subnet routes from other nodes |
--advertise-exit-node | Offer to be an exit node |
--advertise-routes= | Routes to advertise (CIDR) |
--advertise-tags= | ACL tags to request |
--auth-key= | Auth key for automated setup |
--exit-node= | Use specified exit node |
--exit-node-allow-lan-access | Allow LAN access when using exit node |
--force-reauth | Force reauthentication |
--hostname= | Hostname to use |
--login-server= | Custom coordination server |
--netfilter-mode= | Netfilter mode (on/nodivert/off) |
--operator= | Unix user to allow operations |
--reset | Reset unspecified options to default |
--shields-up | Block incoming connections |
--ssh | Run SSH server |
--timeout= | Connection timeout |
Examples:
# Basic connection
sudo tailscale up
# Server with SSH and routes
sudo tailscale up --ssh --advertise-routes=192.168.1.0/24
# Client using exit node
sudo tailscale up --exit-node=my-exit-server
# Automated with auth key
sudo tailscale up --auth-key=tskey-auth-xxxxx
tailscale down¶
Disconnect from Tailscale:
Keeps authentication, just disconnects.
tailscale logout¶
Log out and remove authentication:
Requires re-authentication on next tailscale up.
tailscale login¶
Authenticate with custom options:
Flags:
| Flag | Description |
|---|---|
--auth-key= | Use auth key |
--login-server= | Custom control server |
--timeout= | Login timeout |
Status Commands¶
tailscale status¶
Show network status:
Flags:
| Flag | Description |
|---|---|
--json | Output as JSON |
--peers | Show only peers |
--self | Show only self |
--active | Show only active peers |
--browser | Open admin console |
Examples:
# Basic status
tailscale status
# JSON output
tailscale status --json | jq '.Peer | keys'
# Just active connections
tailscale status --active
tailscale ip¶
Show Tailscale IP addresses:
Flags:
| Flag | Description |
|---|---|
-1 | Only show first IP |
-4 | Only show IPv4 |
-6 | Only show IPv6 |
Examples:
tailscale whois¶
Look up who owns an IP:
Example:
Network Commands¶
tailscale ping¶
Ping a peer through Tailscale:
Flags:
| Flag | Description |
|---|---|
--c= | Number of pings |
--timeout= | Ping timeout |
--tsmp | Use TSMP ping |
--peerapi | Ping via peerapi |
--until-direct | Ping until direct connection |
--verbose | Verbose output |
Examples:
# Basic ping
tailscale ping my-server
# Multiple pings
tailscale ping --c=10 my-server
# Wait for direct connection
tailscale ping --until-direct my-server
tailscale netcheck¶
Check network connectivity:
Flags:
| Flag | Description |
|---|---|
--verbose | Detailed output |
--every= | Repeat interval |
Example:
tailscale dns¶
Manage DNS configuration:
Subcommands:
Configuration Commands¶
tailscale set¶
Persistently set configuration:
Flags:
| Flag | Description |
|---|---|
--accept-dns | Accept DNS |
--accept-routes | Accept routes |
--advertise-exit-node | Advertise as exit node |
--advertise-routes= | Advertise routes |
--auto-update | Enable auto-updates |
--exit-node= | Set exit node |
--hostname= | Set hostname |
--operator= | Set operator user |
--shields-up | Enable shields |
--ssh | Enable SSH |
Examples:
# Enable auto-updates
sudo tailscale set --auto-update
# Set operator
sudo tailscale set --operator=myuser
# Enable SSH
sudo tailscale set --ssh
tailscale switch¶
Switch between Tailscale accounts:
Examples:
File Transfer¶
tailscale file¶
Transfer files between devices:
Subcommands:
Examples:
# Send file
tailscale file cp document.pdf my-laptop:
# Send multiple files
tailscale file cp *.jpg my-laptop:
# Receive files
tailscale file get ~/Downloads/
SSH Commands¶
tailscale ssh¶
SSH into a peer using Tailscale authentication:
Uses Tailscale identity instead of SSH keys.
Example:
Certificate Commands¶
tailscale cert¶
Manage TLS certificates:
Flags:
| Flag | Description |
|---|---|
--cert-file= | Certificate output file |
--key-file= | Key output file |
Example:
Funnel and Serve¶
tailscale serve¶
Expose local services on your tailnet:
Examples:
# Serve local port
tailscale serve 3000
# Serve with HTTPS
tailscale serve https / http://localhost:3000
# Serve static files
tailscale serve / /var/www/html
tailscale funnel¶
Expose services to the public internet:
Examples:
Debug Commands¶
tailscale debug¶
Various debugging commands:
Subcommands:
| Command | Description |
|---|---|
prefs | Show preferences |
netmap | Show network map |
portmap | Show port mappings |
derp-map | Show DERP map |
metrics | Show metrics |
component-logs | Enable component logging |
capture | Capture network traffic |
Examples:
# Show current preferences
tailscale debug prefs
# Show network map
tailscale debug netmap
# Show DERP servers
tailscale debug derp-map
tailscale bugreport¶
Generate a bug report:
Outputs a URL with diagnostic information for support.
Lock Commands¶
tailscale lock¶
Manage Tailscale Lock (network lock):
Subcommands:
tailscale lock status # Show lock status
tailscale lock init # Initialize lock
tailscale lock sign <nodekey> # Sign a node
tailscale lock disable # Disable lock
tailscale lock add <keys> # Add signing keys
tailscale lock remove <keys> # Remove signing keys
Update Commands¶
tailscale update¶
Update Tailscale:
Flags:
| Flag | Description |
|---|---|
--dry-run | Show what would update |
--yes | Skip confirmation |
--track= | Release track (stable/unstable) |
Example:
Exit Codes¶
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Invalid arguments |
JSON Output¶
Many commands support --json: