tailscale

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Tailscale Network Management

Tailscale 网络管理

Trigger Keywords: tailscale, tailnet, wireguard vpn, mesh vpn, tailscale ssh, exit node, subnet router, tailscale acl, magicDNS, tailscale serve, tailscale funnel

What is Tailscale? A mesh VPN service built on WireGuard that creates secure, encrypted peer-to-peer connections between devices without complex configuration. Unlike traditional VPNs with central gateways, Tailscale creates direct connections between devices (or uses relay servers when needed).

Key Benefits:

Zero-config networking: Works seamlessly across NAT and firewalls
Direct connections: Peer-to-peer mesh reduces latency vs traditional hub-and-spoke VPNs
WireGuard encryption: State-of-the-art cryptographic security
Identity-based access: Integrates with SSO providers (Google, Okta, GitHub, etc.)
Cross-platform: Works on Linux, macOS, Windows, iOS, Android, and more

触发关键词: tailscale, tailnet, wireguard vpn, mesh vpn, tailscale ssh, exit node, subnet router, tailscale acl, magicDNS, tailscale serve, tailscale funnel

什么是Tailscale？ 它是基于WireGuard构建的网状VPN服务，无需复杂配置即可在设备间创建安全、加密的点对点连接。与传统的带中央网关的VPN不同，Tailscale会在设备间建立直接连接（必要时使用中继服务器）。

核心优势：

零配置网络：可跨NAT和防火墙无缝运行
直接连接：点对点网状网络相比传统星型VPN能降低延迟
WireGuard加密：采用最先进的密码学安全技术
基于身份的访问：与SSO提供商（Google、Okta、GitHub等）集成
跨平台支持：适用于Linux、macOS、Windows、iOS、Android等系统

Quick Start

快速开始

Installation

安装

Linux (one-liner):

bash

curl -fsSL https://tailscale.com/install.sh | sh

macOS:

bash

brew install tailscale

Windows/Other platforms: Download from https://tailscale.com/download

Linux（一键安装）：

bash

curl -fsSL https://tailscale.com/install.sh | sh

macOS：

bash

brew install tailscale

Windows/其他平台： 从 https://tailscale.com/download 下载安装包

Initial Setup

初始设置

bash

undefined

bash

undefined

Start Tailscale and authenticate

启动Tailscale并完成认证

sudo tailscale up

Check status

检查状态

tailscale status

Get your Tailscale IP

获取你的Tailscale IP

tailscale ip -4

Connect via MagicDNS hostname

通过MagicDNS主机名连接

ssh user@machine-name

undefined

ssh user@machine-name

undefined

Common Operations

常见操作

Basic Connection Management

基础连接管理

bash

undefined

bash

undefined

Connect to your tailnet

连接到你的tailnet

tailscale up

Disconnect but keep daemon running

断开连接但保持后台进程运行

tailscale down

Check connection status and peers

检查连接状态和对等设备

tailscale status

View detailed network map

查看详细网络拓扑图

tailscale status --json | jq

Ping another tailnet device (TSMP ping)

ping 另一个tailnet设备（TSMP ping）

tailscale ping machine-name

Test connectivity including ACLs (ICMP ping)

测试包含ACL的连通性（ICMP ping）

tailscale ping --icmp machine-name

undefined

tailscale ping --icmp machine-name

undefined

Subnet Router Setup

子网路由器设置

What it does: Allows devices without Tailscale to be accessible via a gateway device that does have Tailscale installed.

On the router device:

bash

undefined

功能说明：让未安装Tailscale的设备可通过已安装Tailscale的网关设备访问。

在路由器设备上操作：

bash

undefined

Enable IP forwarding (Linux)

启用IP转发（Linux系统）

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Advertise routes to your local network

宣告本地网络路由

sudo tailscale up --advertise-routes=192.168.1.0/24,10.0.0.0/24


**In the admin console:**
1. Go to Machines → find your subnet router
2. Click menu → "Edit route settings"
3. Enable the advertised routes

**On client devices:**
```bash

sudo tailscale up --advertise-routes=192.168.1.0/24,10.0.0.0/24


**在管理控制台操作：**
1. 进入「设备」页面 → 找到你的子网路由器
2. 点击菜单 → 「编辑路由设置」
3. 启用已宣告的路由

**在客户端设备上操作：**
```bash

Linux needs explicit flag to accept routes

Linux系统需要显式标记以接受路由

sudo tailscale up --accept-routes

Other platforms accept routes automatically

其他平台会自动接受路由

undefined

undefined

Exit Node Configuration

出口节点配置

What it does: Routes ALL internet traffic through a specific device on your tailnet (like a traditional VPN).

Setup exit node:

bash

undefined

功能说明：将所有互联网流量通过tailnet上的指定设备路由（类似传统VPN）。

设置出口节点：

bash

undefined

Enable IP forwarding (same as subnet router)

启用IP转发（与子网路由器步骤相同）

Advertise as exit node

宣告为出口节点

sudo tailscale up --advertise-exit-node


**In admin console:**
1. Go to Machines → find exit node
2. Click menu → "Edit route settings"  
3. Enable "Use as exit node"

**Use exit node from another device:**
```bash

sudo tailscale up --advertise-exit-node


**在管理控制台操作：**
1. 进入「设备」页面 → 找到出口节点
2. 点击菜单 → 「编辑路由设置」  
3. 启用「用作出口节点」

**在其他设备上使用出口节点：**
```bash

Use specific exit node

使用指定出口节点

tailscale set --exit-node=exit-node-name

Use suggested exit node (auto-selects best)

使用推荐出口节点（自动选择最优节点）

tailscale set --exit-node=auto:any

Allow LAN access while using exit node

使用出口节点时允许访问本地局域网

tailscale set --exit-node=exit-node-name --exit-node-allow-lan-access

Stop using exit node

停止使用出口节点

tailscale set --exit-node=

undefined

tailscale set --exit-node=

undefined

Tailscale SSH Setup

Tailscale SSH 设置

What it does: SSH without managing keys, using your Tailscale identity for authentication.

Enable SSH on server:

bash

undefined

功能说明：无需管理密钥，使用Tailscale身份进行认证的SSH服务。

在服务器上启用SSH：

bash

undefined

Enable Tailscale SSH server

启用Tailscale SSH服务器

sudo tailscale set --ssh


**Configure access in admin console:**
Go to Access Controls and add to the policy file:

```json
{
  "grants": [
    {
      "src": ["user@example.com"],
      "dst": ["tag:servers"],
      "ip": ["22"]
    }
  ],
  "ssh": [
    {
      "action": "accept",
      "src": ["user@example.com"],
      "dst": ["tag:servers"],
      "users": ["root", "ubuntu", "autogroup:nonroot"]
    }
  ]
}

Connect from client:

bash

undefined

sudo tailscale set --ssh


**在管理控制台配置访问权限：**
进入「访问控制」页面，在策略文件中添加以下内容：

```json
{
  "grants": [
    {
      "src": ["user@example.com"],
      "dst": ["tag:servers"],
      "ip": ["22"]
    }
  ],
  "ssh": [
    {
      "action": "accept",
      "src": ["user@example.com"],
      "dst": ["tag:servers"],
      "users": ["root", "ubuntu", "autogroup:nonroot"]
    }
  ]
}

从客户端连接：

bash

undefined

No special setup needed on client!

客户端无需额外设置！

ssh machine-name

Or use specific user

或使用指定用户

ssh ubuntu@machine-name

Works with SCP and SFTP too

同样支持SCP和SFTP

scp file.txt machine-name:/tmp/


**Check mode** (for high-security connections):
```json
{
  "ssh": [
    {
      "action": "check",  // Requires recent SSO re-auth
      "src": ["user@example.com"],
      "dst": ["tag:servers"],
      "users": ["root"]
    }
  ]
}

scp file.txt machine-name:/tmp/


**检查模式**（适用于高安全性连接）：
```json
{
  "ssh": [
    {
      "action": "check",  // 需要最近的SSO重新认证
      "src": ["user@example.com"],
      "dst": ["tag:servers"],
      "users": ["root"]
    }
  ]
}

Serve and Funnel

Serve 和 Funnel

Tailscale Serve (share within your tailnet):

bash

undefined

Tailscale Serve（在tailnet内共享）：

bash

undefined

Serve local web server to tailnet

将本地Web服务共享到tailnet

tailscale serve 3000

Serve specific path

共享指定路径

tailscale serve --https=443 --set-path=/app 8080

Serve static files

共享静态文件

tailscale serve --https=443 /var/www/html

Serve with TLS-terminated TCP

共享TLS终止的TCP服务

tailscale serve --tls-terminated-tcp=5432 localhost:5432

Check status

检查状态

tailscale serve status

Turn off

停止服务

tailscale serve off


**Tailscale Funnel** (expose to public internet):
```bash

tailscale serve off


**Tailscale Funnel**（暴露到公网）：
```bash

Share to entire internet (must be on ports 443, 8443, or 10000)

共享到整个互联网（必须使用443、8443或10000端口）

tailscale funnel 3000

Turn off

停止服务

tailscale funnel off

undefined

tailscale funnel off

undefined

Access Control Lists (ACLs)

访问控制列表（ACL）

Default policy (allows all):

json

{
  "acls": [
    {
      "action": "accept",
      "src": ["*"],
      "dst": ["*:*"]
    }
  ]
}

Role-based access example:

json

{
  "groups": {
    "group:engineering": ["user1@example.com", "user2@example.com"],
    "group:ops": ["ops@example.com"]
  },
  "tagOwners": {
    "tag:dev": ["group:engineering"],
    "tag:prod": ["group:ops"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["group:engineering"],
      "dst": ["tag:dev:*"]
    },
    {
      "action": "accept",
      "src": ["group:ops"],
      "dst": ["tag:prod:*"]
    }
  ]
}

Modern Grants syntax (recommended):

json

{
  "grants": [
    {
      "src": ["group:engineering"],
      "dst": ["tag:dev"],
      "ip": ["*"]
    },
    {
      "src": ["group:ops"],
      "dst": ["tag:prod"],
      "ip": ["22", "443", "80"]
    }
  ]
}

默认策略（允许所有访问）：

json

{
  "acls": [
    {
      "action": "accept",
      "src": ["*"],
      "dst": ["*:*"]
    }
  ]
}

基于角色的访问示例：

json

{
  "groups": {
    "group:engineering": ["user1@example.com", "user2@example.com"],
    "group:ops": ["ops@example.com"]
  },
  "tagOwners": {
    "tag:dev": ["group:engineering"],
    "tag:prod": ["group:ops"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["group:engineering"],
      "dst": ["tag:dev:*"]
    },
    {
      "action": "accept",
      "src": ["group:ops"],
      "dst": ["tag:prod:*"]
    }
  ]
}

现代权限语法（推荐使用）：

json

{
  "grants": [
    {
      "src": ["group:engineering"],
      "dst": ["tag:dev"],
      "ip": ["*"]
    },
    {
      "src": ["group:ops"],
      "dst": ["tag:prod"],
      "ip": ["22", "443", "80"]
    }
  ]
}

Common Scenarios

常见场景

Home Lab Access

家庭实验室访问

bash

undefined

bash

undefined

On home server

在家庭服务器上操作

sudo tailscale up --advertise-routes=192.168.1.0/24

From anywhere

从任何地点访问

ssh homeserver

Access 192.168.1.* devices through homeserver

通过家庭服务器访问192.168.1.*网段的设备

undefined

undefined

Secure Travel

安全出行

bash

undefined

bash

undefined

Set home device as exit node before trip

出行前将家庭设备设置为出口节点

tailscale set --exit-node=home-server

All traffic now routes through home

现在所有流量都将通过家庭设备路由

undefined

undefined

Multi-Site Connectivity

多站点连通性

bash

undefined

bash

undefined

Site A router

站点A路由器

sudo tailscale up --advertise-routes=10.0.0.0/24

Site B router

站点B路由器

sudo tailscale up --advertise-routes=10.1.0.0/24 --accept-routes

Now Site B can reach Site A's 10.0.0.0/24 network

现在站点B可以访问站点A的10.0.0.0/24网段

undefined

undefined

Troubleshooting

故障排除

Connection Issues

连接问题

bash

undefined

bash

undefined

Check if devices can establish connection (ignores ACLs)

检查设备是否能建立连接（忽略ACL）

tailscale ping --tsmp peer-name

Check end-to-end including ACLs

检查端到端连通性（包含ACL）

tailscale ping --icmp peer-name

View network map and connection details

查看网络拓扑和连接详情

tailscale netcheck

Debug daemon logs

调试后台进程日志

tailscale debug daemon-logs

Check DERP relay status

检查DERP中继状态

tailscale netcheck


**If TSMP succeeds but ICMP fails**: ACL policy is blocking the connection.

**If both fail**: Network connectivity issue (firewall, NAT, routing problem).

tailscale netcheck


**如果TSMP成功但ICMP失败**：ACL策略阻止了连接。

**如果两者都失败**：存在网络连通性问题（防火墙、NAT、路由问题）。

ACL Testing

ACL测试

bash

undefined

bash

undefined

Preview rules for specific user (in admin console)

在管理控制台预览特定用户的规则

Access Controls → Preview rules → select user

访问控制 → 预览规则 → 选择用户

Test ACL in policy file

在策略文件中测试ACL

Add to policy:

添加到策略中：

"tests": [ { "src": "user@example.com", "accept": ["tag:server:22"], "deny": ["tag:prod:*"] } ]

undefined

"tests": [ { "src": "user@example.com", "accept": ["tag:server:22"], "deny": ["tag:prod:*"] } ]

undefined

Subnet Router Not Working

子网路由器无法工作

bash

undefined

bash

undefined

Verify IP forwarding enabled

验证IP转发是否启用

cat /proc/sys/net/ipv4/ip_forward # Should be 1

cat /proc/sys/net/ipv4/ip_forward # 应返回1

Check firewall isn't blocking

检查防火墙是否阻止了流量

sudo iptables -L -v -n sudo iptables -t nat -L -v -n

Verify routes advertised

验证路由是否已宣告

tailscale status | grep "subnet router"

On client, ensure routes accepted

在客户端上确认是否已接受路由

tailscale status | grep "routes accepted"

undefined

tailscale status | grep "routes accepted"

undefined

MagicDNS Not Resolving

MagicDNS 无法解析

bash

undefined

bash

undefined

Check MagicDNS enabled

检查MagicDNS是否启用

tailscale status | grep MagicDNS

In admin console: DNS → Enable MagicDNS

在管理控制台：DNS → 启用MagicDNS

Flush DNS cache

刷新DNS缓存

macOS

sudo dscacheutil -flushcache

Linux (systemd-resolved)

Linux（systemd-resolved）

sudo systemd-resolve --flush-caches

undefined

sudo systemd-resolve --flush-caches

undefined

Best Practices

最佳实践

Security

安全

✅ Use tags for servers: Never share with personal accounts

bash

sudo tailscale up --advertise-tags=tag:server

✅ Disable key expiry for servers:

Admin console → Machines → menu → "Disable key expiry"
Or use
```
--auth-key
```
with reusable key

✅ Use check mode for root access: Requires recent SSO re-authentication

✅ Principle of least privilege: Grant only necessary ports in ACLs

json

{
  "grants": [{
    "src": ["group:devs"],
    "dst": ["tag:dev"],
    "ip": ["22", "80", "443"]  // Only SSH and HTTP(S)
  }]
}

✅ Enable Tailnet Lock (enterprise): Cryptographically prevent unauthorized device additions

✅ 为服务器使用标签：切勿与个人账号共享

bash

sudo tailscale up --advertise-tags=tag:server

✅ 为服务器禁用密钥过期：

管理控制台 → 设备 → 菜单 → 「禁用密钥过期」
或使用带可重用密钥的
```
--auth-key
```
参数

✅ 对root访问使用检查模式：需要最近的SSO重新认证

✅ 遵循最小权限原则：在ACL中仅授予必要的端口

json

{
  "grants": [{
    "src": ["group:devs"],
    "dst": ["tag:dev"],
    "ip": ["22", "80", "443"]  // 仅允许SSH和HTTP(S)
  }]
}

✅ 启用Tailnet Lock（企业版）：通过加密方式防止未授权设备加入

Operations

运维

✅ Use auth keys for automation:

bash

undefined

✅ 使用认证密钥进行自动化：

bash

undefined

Generate in admin console → Settings → Keys

在管理控制台生成 → 设置 → 密钥

sudo tailscale up --auth-key=tskey-auth-...


✅ **Tag infrastructure servers**: Enables service accounts instead of personal ownership

✅ **Set up high-availability**:
```bash

sudo tailscale up --auth-key=tskey-auth-...


✅ **为基础设施服务器打标签**：启用服务账号而非个人所有权

✅ **设置高可用性**：
```bash

Multiple subnet routers with same routes = automatic failover

多个子网路由器宣告相同路由 = 自动故障转移

Router 1

路由器1

sudo tailscale up --advertise-routes=10.0.0.0/24

Router 2

路由器2

sudo tailscale up --advertise-routes=10.0.0.0/24


✅ **Use GitOps for ACLs**: Version control your policy file with GitHub/GitLab

✅ **Monitor with logging**: Enable network flow logs (Enterprise feature)

sudo tailscale up --advertise-routes=10.0.0.0/24


✅ **使用GitOps管理ACL**：用GitHub/GitLab对策略文件进行版本控制

✅ **通过日志进行监控**：启用网络流量日志（企业版功能）

Performance

性能

✅ Enable UDP GRO forwarding (Linux subnet routers):

bash

NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")
sudo ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off

✅ Prefer direct connections: Check with

tailscale status

- look for "direct"

✅ Use appropriate MTU: Usually auto-detected correctly, but can tune if needed

✅ 启用UDP GRO转发（Linux子网路由器）：

bash

NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")
sudo ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off

✅ 优先使用直接连接：通过

tailscale status

检查，查找「direct」标记

✅ 使用合适的MTU：通常会自动检测正确值，如有需要可手动调整

Reference Files

参考文件

```
references/cli-reference.md
```
- Complete CLI command reference with all flags
```
references/acl-examples.md
```
- Detailed ACL and grants configuration examples
```
references/api-usage.md
```
- Tailscale API integration and automation
```
references/troubleshooting.md
```
- Comprehensive troubleshooting guide
```
references/production-setup.md
```
- Best practices for production deployments
```
scripts/setup_subnet_router.sh
```
- Automated subnet router setup script
```
scripts/setup_exit_node.sh
```
- Automated exit node setup script

```
references/cli-reference.md
```
- 包含所有参数的完整CLI命令参考
```
references/acl-examples.md
```
- 详细的ACL和权限配置示例
```
references/api-usage.md
```
- Tailscale API集成与自动化
```
references/troubleshooting.md
```
- 全面的故障排除指南
```
references/production-setup.md
```
- 生产环境部署最佳实践
```
scripts/setup_subnet_router.sh
```
- 自动化子网路由器设置脚本
```
scripts/setup_exit_node.sh
```
- 自动化出口节点设置脚本