How to install & Configure Tailscale in Linux, Windows & MacOS?

by

0) What Tailscale Is (30-second refresher)

  • A mesh VPN / overlay network: your devices join a private network (“tailnet”) and get stable 100.x.y.z IPs.
  • Uses WireGuard for encrypted tunnels. Data tries to go direct P2P over UDP; if blocked, it falls back to encrypted DERP relays.
  • Access is controlled by identity (your login) and ACL policies, not by being “on the same LAN”.
  • A control plane coordinates keys, device info, and policy; it is not in the data path.

1) Tailnet Basics (org vs personal)

  • Organization tailnet (you logged in with company email): you’re a member; admins control ACLs, routes, DNS, etc. You’ll see many org devices—that doesn’t grant you access unless ACLs allow it.
  • Personal tailnet (you logged in with personal email): you are the admin; full control (devices, ACLs, DNS/MagicDNS, keys, routes).

Privacy lever (local):
To block all inbound connections to your device while staying online:

tailscale up --shields-up

(Works on macOS/Linux CLI; on Windows/macOS you can also toggle via the app UI.)

2) Install Tailscale (per OS)

Windows 10/11

  1. Run the Tailscale installer (standard MSI).
  2. Launch the Tailscale app (tray icon).
  3. Click Log in, authenticate with the account you want this device to belong to.

macOS (App + CLI)

Recommended (GUI + helper):

# If you use Homebrew:
brew install --cask tailscale-app
open -a Tailscale
  • Click Log in in the app and authenticate.
  • CLI becomes available as tailscale.

If your CLI says “command not found” or GUI/CLI disagree, see “macOS fixes” in the Troubleshooting section.

Linux (systemd distros)

curl -fsSL https://tailscale.com/install.sh | sh
sudo systemctl enable --now tailscaled
sudo tailscale up
# Browser opens for SSO; approve and you're online.

Headless Linux (no browser):

  • In the Admin Console (your tailnet), make an Auth Key.
sudo tailscale up --auth-key tskey-XXXXXXXXXXXXXXXX

3) Add a Second Machine (join the same tailnet)

Repeat the install on the second device and log in with the same account/identity you used on the first.
Verify both are visible to each other:

tailscale status

You should see each device listed with a 100.x.y.z address and “active”.

4) Verify Connectivity & Name Resolution

From either machine:

tailscale ip         # show this device’s tailnet IPs
tailscale status     # show peers and state
ping 100.x.y.z       # test the other device by its Tailscale IP

MagicDNS (if enabled in your tailnet): you can use hostnames like:

ping hostname.tailnet

5) Common Access Methods (beyond SSH)

A) SSH (Linux/macOS targets)

Key-based (classic):

# on your client
ssh-keygen -t ed25519 -C "my-key"
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@100.x.y.z
# test:
ssh user@100.x.y.z

Harden (optional, on server):
Disable password auth after key login works by editing sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes

Then restart sshd.

Tailscale SSH (SSO-backed, no key copying):

  • Admin enables Tailscale SSH in policy and on the target host:
sudo tailscale up --ssh
  • Then from your client:
ssh user@hostname.tailnet

B) Windows GUI (RDP)

On the Windows host (PowerShell as Admin):

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" `
  -Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

From client:

  • Windows: mstsc /v:100.x.y.z
  • macOS: Microsoft Remote Desktop app → add 100.x.y.z
  • Linux: xfreerdp /v:100.x.y.z

C) SMB / File Shares

  • Windows host → Windows client: \\100.x.y.z\Share
  • Windows host → macOS client: Finder → Go → Connect to Server → smb://100.x.y.z/Share
  • Windows host → Linux client:
sudo apt install cifs-utils
sudo mount -t cifs //100.x.y.z/Share /mnt/share -o user=USERNAME

D) VNC (alternative GUI, cross-platform)

  • Install a VNC server on the host (e.g., TightVNC).
  • Connect from client VNC viewer to 100.x.y.z:5900.
    Note: VNC itself isn’t encrypted, but the Tailscale tunnel is.

E) HTTP(S) services / Databases

  • Any TCP/UDP service reachable on a port can be used over Tailscale if local firewall and ACLs allow it:
nc -vz 100.x.y.z 443       # test HTTPS
nc -vz 100.x.y.z 5432      # test PostgreSQL

6) Everyday CLI You’ll Actually Use

tailscale status         # see who’s online, route type (direct/derp)
tailscale ip             # show your addresses
tailscale ping hostname  # quick health probe via Tailscale
tailscale logout         # detach this device from the tailnet
tailscale up --shields-up                # block inbound
tailscale up --advertise-exit-node       # make this device an exit node
tailscale up --exit-node=100.x.y.z       # route your internet via that exit node
tailscale up --advertise-routes=192.168.1.0/24   # act as subnet router

Note: Routes advertised must be approved in your tailnet before others can use them.

7) Features & Options (with where they matter)

MagicDNS

  • Friendly names for peers (e.g., mybox.tailnet).
  • Configure in your tailnet’s DNS settings; then use names instead of IPs.

Exit Nodes

  • Send all internet traffic through a chosen device (e.g., home desktop).
  • On exit node: tailscale up --advertise-exit-node
  • On client: select that node in the app, or tailscale up --exit-node=<IP-or-name>

Subnet Routers

  • Make an entire LAN behind one device reachable to the tailnet:
sudo tailscale up --advertise-routes=10.0.0.0/24,10.10.0.0/16
  • Approve those routes in your tailnet.

ACLs (Access Control Lists)

  • Control who can access what (users/groups → devices/ports).
  • If you can see devices but can’t connect, an ACL likely blocks it.
  • Ask your admin to allow your user/group to hostname:port you need.

Device Posture / Keys

  • Devices enroll with keys tied to identity; keys rotate automatically.
  • Disabling a user/device or rotating keys revokes access immediately (your earlier question about ex-employees).

8) Security Reality Checks (based on your questions)

  • Seeing many org devices: normal in a company tailnet. No automatic access to them; ACLs gate everything.
  • Can admins access my Mac? No, not silently. They can only allow the network path. You still need a listening service (SSH/RDP/etc.), and they need policy allowing their identity to reach your port. Use --shields-up if you want local deny-all.
  • Ex-employee scenario: once removed/disabled, their keys are invalid and other devices won’t talk to them. Managed Tailscale revocation blocks later access even if they kept old configs.

9) Troubleshooting (real issues you hit + quick fixes)

A) macOS: Error: CLI credentials are not available BadResponse

Cause: GUI login stored in user context but command was run under sudo (root) or the helper wasn’t initialized.

Fix (clean):

  1. Quit Tailscale from menu bar.
  2. In Terminal:
sudo tailscale down || true
sudo launchctl unload /Library/LaunchDaemons/com.tailscale.tailscaled.plist 2>/dev/null || true
  1. Reinstall/repair:
brew install --cask tailscale-app
open -a Tailscale
  1. Run tailscale up without sudo (GUI-install context).
  2. If you must use root (headless style), use an Auth Key:
sudo tailscale up --auth-key tskey-XXXXXXXXXXXXXXXX

B) macOS: tailscaled: command not found

Cause: The helper/daemon binary isn’t in PATH or wasn’t installed.

Fix:

  • Remove old/broken bits, reinstall GUI app, then open it once:
sudo rm -rf /Applications/Tailscale.app
sudo rm -f /usr/local/bin/tailscale /usr/local/bin/tailscaled
brew uninstall tailscale tailscale-app --force 2>/dev/null || true

brew install --cask tailscale-app
open -a Tailscale   # initializes helper and CLI shim
tailscale version

C) “I see many devices. Can they access me?”

  • Not by default. Check or toggle:
tailscale up --shields-up
  • You still can connect outbound to others.

D) “Ping works but SSH/RDP doesn’t”

  • Check local firewall on the target (open port 22/3389/etc.).
  • Confirm service is listening (sshd, RDP enabled).
  • Ask admin to allow the ACL rule for your user → hostname:port.
  • Test port from client:
nc -vz 100.x.y.z 22
# Windows PowerShell:
Test-NetConnection -ComputerName 100.x.y.z -Port 3389

E) “Direct path fails, slow over DERP”

  • That’s expected on blocked UDP/NAT. If possible, allow outbound UDP on both sides to improve direct connectivity.

F) “Can’t resolve names”

  • Enable MagicDNS in your tailnet and ensure your client is set to accept DNS from Tailscale. Use the hostname you see in the app.

10) Guided “Two-Machine” Tutorials (by OS pair)

macOS ↔ Linux (SSH + Ping)

On both: install, log in, confirm tailscale status.
From macOS:

ping 100.a.b.c
ssh user@100.a.b.c

If passwordless wanted:

ssh-keygen -t ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@100.a.b.c
ssh user@100.a.b.c

Windows ↔ macOS (RDP + SMB)

On Windows (host):

  • Enable Remote Desktop (Settings → System → Remote Desktop), or via PowerShell (see earlier).
  • Share a folder if you want SMB.

From macOS (client):

  • Microsoft Remote Desktop → add 100.x.y.z → connect (RDP).
  • Finder → Connect to Server → smb://100.x.y.z/Share.

Windows ↔ Linux (RDP from Linux client)

On Windows (host): enable RDP (and firewall rules).
On Linux (client):

sudo apt install freerdp2-x11   # distro equivalent
xfreerdp /v:100.x.y.z

Linux ↔ Linux (SSH + Subnet router)

On the router host:

sudo tailscale up --advertise-routes=192.168.1.0/24

Approve route in tailnet; then from the other Linux box:

ping 192.168.1.10      # device behind the router
ssh user@192.168.1.10

11) Admin-Only (for your personal tailnet or if you’re an org admin)

  • Machines: rename, disable, delete devices; approve routes; set exit nodes.
  • Access Controls: edit JSON ACLs (who → what:port).
  • DNS: MagicDNS on/off; custom resolvers; split DNS.
  • Keys: create/revoke auth keys; device expiry policies.
  • Users/Groups: invite/remove users; map groups for ACLs.
  • Tailscale SSH: turn on; define per-host ssh rules in ACLs.

12) Quick “Owner’s Safety” Checklist

  • Keep passwordless SSH set up correctly; disable SSH password auth if you own the server.
  • Use NLA for RDP and strong account passwords.
  • Prefer deny-by-default ACLs; only allow required ports/hosts.
  • Use --shields-up on laptops if you don’t want inbound at all.
  • Offboard fast: disable users/devices; keys rotate automatically.

You’re all set 🎉

With this, you can:

  • Install on Windows/macOS/Linux,
  • Add devices to the same tailnet,
  • Verify connectivity (ping/status),
  • Access services (SSH, RDP, SMB, VNC, HTTP, DBs),
  • Enable MagicDNS, exit nodes, subnet routers,
  • Understand ACLs, admin capabilities, and security,
  • Fix common macOS install/auth issues,
  • And keep your environment locked down.

Leave a Comment