Tailscale

Mesh VPN — node enrollment, ACL policies, exit nodes, and subnet routing.

Connection Control

Authenticate and connect to your tailnet
sudo tailscale up
Disconnect from the tailnet without deregistering the node
sudo tailscale down
Re-authenticate with a specific login server (for Headscale or custom OIDC)
sudo tailscale up --login-server https://headscale.example.com
Force re-authentication — useful when auth key has expired
sudo tailscale up --force-reauth
Check the tailscaled daemon status
sudo systemctl status tailscaled

Node Status & Identity

Show all nodes in your tailnet — names, IPs, online/offline, OS
tailscale status
Show your own Tailscale IPv4 and IPv6 addresses
tailscale ip
Show only the IPv4 address — useful in scripts
tailscale ip -4
Show only the IPv6 address
tailscale ip -6
Full node information including DERP relay, endpoints, and tailnet name
tailscale status --json | jq '.Self'
List all peers with their last seen time and whether they use a relay
tailscale status --json | jq '.Peer[] | {HostName, TailscaleIPs, Relay: .Relay, Online: .Online}'

Network Diagnostics

Ping a peer over Tailscale — shows latency and whether direct or relayed (DERP)
tailscale ping modestus-razer
Keep pinging until a direct connection is established (bypasses DERP)
tailscale ping --until-direct modestus-razer
Show the current DERP map and relay connectivity
tailscale netcheck
Detailed netcheck — includes latency to all DERP regions
tailscale netcheck --verbose
Debug connectivity issues — comprehensive diagnostic dump
tailscale bugreport

Exit Nodes

Advertise this machine as an exit node (must be approved in admin console)
sudo tailscale up --advertise-exit-node
Route all traffic through a specific exit node — full tunnel
sudo tailscale up --exit-node=modestus-razer
Stop using an exit node — return to direct routing
sudo tailscale up --exit-node=
Allow LAN access while using an exit node — prevents losing local network
sudo tailscale up --exit-node=modestus-razer --exit-node-allow-lan-access

Subnet Routing

Advertise local subnets to the tailnet (must be approved in admin console)
sudo tailscale up --advertise-routes=10.50.1.0/24,10.50.10.0/24
Accept routes advertised by subnet routers on this client
sudo tailscale up --accept-routes
Verify which routes this node is advertising
tailscale status --json | jq '.Self.AllowedIPs'

MagicDNS

Resolve a tailnet hostname — MagicDNS enables name-based access
tailscale status | awk '/modestus-aw/ {print $1}'
DNS query for a tailnet node via MagicDNS (if enabled)
dig modestus-aw.tail12345.ts.net +short
Check which DNS servers Tailscale is using
tailscale status --json | jq '.CurrentTailnet.MagicDNSSuffix'

Tailscale SSH

Enable Tailscale SSH on this node — SSHd over the tailnet without key management
sudo tailscale up --ssh
SSH to a tailnet peer using Tailscale SSH (no keys needed, uses tailnet identity)
ssh user@modestus-razer
Check if Tailscale SSH is active on this node
tailscale status --json | jq '.Self.SSH'

File Transfer

Send a file to a peer on your tailnet
tailscale file cp document.pdf modestus-razer:
Receive waiting files — saves to current directory by default
tailscale file get .
Send a directory of configs to a peer
tailscale file cp /etc/wireguard/*.conf modestus-aw:

ACLs & Admin

Open the admin console in your browser
xdg-open https://login.tailscale.com/admin/machines
View the ACL policy file (requires API key or browser auth)
xdg-open https://login.tailscale.com/admin/acls
Log out and deregister this node entirely from the tailnet
sudo tailscale logout
Show the current tailscale version
tailscale version
View detailed daemon logs for connection issues
journalctl -u tailscaled --since "30 minutes ago" --no-pager

See Also

  • VPN — WireGuard, IPsec, OpenVPN

  • Routing — subnet routing and policy routing