<\/p>\n\n\n\n
Privacy lever (local):<\/strong> (Works on macOS\/Linux CLI; on Windows\/macOS you can also toggle via the app UI.)<\/p>\n\n\n\n Recommended (GUI + helper):<\/strong><\/p>\n\n\n\n If your CLI says \u201ccommand not found\u201d or GUI\/CLI disagree<\/strong>, see \u201cmacOS fixes\u201d in the Troubleshooting section.<\/p>\n\n\n\n Headless Linux<\/strong> (no browser):<\/p>\n\n\n\n Repeat the install on the second device and log in with the same account\/identity<\/strong> you used on the first. You should see each device listed with a 100.x.y.z<\/strong> address and \u201cactive\u201d.<\/p>\n\n\n\n From either machine:<\/p>\n\n\n\n MagicDNS<\/strong> (if enabled in your tailnet): you can use hostnames like:<\/p>\n\n\n\n Key-based (classic):<\/strong><\/p>\n\n\n\n Harden (optional, on server):<\/strong> Then restart sshd.<\/p>\n\n\n\n Tailscale SSH (SSO-backed, no key copying):<\/strong><\/p>\n\n\n\n On the Windows host<\/strong> (PowerShell as Admin):<\/p>\n\n\n\n From client:<\/strong><\/p>\n\n\n\n Note:<\/strong> Routes advertised must be approved in your tailnet before others can use them.<\/p>\n\n\n\n Cause: GUI login stored in user context but command was run under Fix (clean):<\/strong><\/p>\n\n\n\n Cause: The helper\/daemon binary isn\u2019t in PATH or wasn\u2019t installed.<\/p>\n\n\n\n Fix:<\/strong><\/p>\n\n\n\n On both:<\/strong> install, log in, confirm If passwordless wanted:<\/strong><\/p>\n\n\n\n On Windows (host):<\/strong><\/p>\n\n\n\n From macOS (client):<\/strong><\/p>\n\n\n\n On Windows (host):<\/strong> enable RDP (and firewall rules).
To block all inbound connections to your device while staying online:<\/p>\n\n\n\ntailscale up --shields-up\n<\/code><\/pre>\n\n\n\n
\n\n\n\n2) Install Tailscale (per OS)<\/h2>\n\n\n\n
Windows 10\/11<\/h3>\n\n\n\n
\n
macOS (App + CLI)<\/h3>\n\n\n\n
# If you use Homebrew:\nbrew install --cask tailscale-app\nopen -a Tailscale\n<\/code><\/pre>\n\n\n\n\n
tailscale<\/code>.<\/li>\n<\/ul>\n\n\n\nLinux (systemd distros)<\/h3>\n\n\n\n
curl -fsSL https:\/\/tailscale.com\/install.sh | sh\nsudo systemctl enable --now tailscaled\nsudo tailscale up\n# Browser opens for SSO; approve and you're online.\n<\/code><\/pre>\n\n\n\n\n
sudo tailscale up --auth-key tskey-XXXXXXXXXXXXXXXX\n<\/code><\/pre>\n\n\n\n
\n\n\n\n3) Add a Second Machine (join the same tailnet)<\/h2>\n\n\n\n
Verify both are visible to each other:<\/p>\n\n\n\ntailscale status\n<\/code><\/pre>\n\n\n\n
\n\n\n\n4) Verify Connectivity & Name Resolution<\/h2>\n\n\n\n
tailscale ip # show this device\u2019s tailnet IPs\ntailscale status # show peers and state\nping 100.x.y.z # test the other device by its Tailscale IP\n<\/code><\/pre>\n\n\n\nping hostname.tailnet\n<\/code><\/pre>\n\n\n\n
\n\n\n\n5) Common Access Methods (beyond SSH)<\/h2>\n\n\n\n
A) SSH (Linux\/macOS targets)<\/h3>\n\n\n\n
# on your client\nssh-keygen -t ed25519 -C \"my-key\"\nssh-copy-id -i ~\/.ssh\/id_ed25519.pub user@100.x.y.z\n# test:\nssh user@100.x.y.z\n<\/code><\/pre>\n\n\n\n
Disable password auth after<\/em> key login works by editing sshd_config<\/code>:<\/p>\n\n\n\nPasswordAuthentication no\nPubkeyAuthentication yes\n<\/code><\/pre>\n\n\n\n\n
sudo tailscale up --ssh\n<\/code><\/pre>\n\n\n\n\n
ssh user@hostname.tailnet\n<\/code><\/pre>\n\n\n\nB) Windows GUI (RDP)<\/h3>\n\n\n\n
Set-ItemProperty -Path \"HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server\" `\n -Name \"fDenyTSConnections\" -Value 0\nEnable-NetFirewallRule -DisplayGroup \"Remote Desktop\"\n<\/code><\/pre>\n\n\n\n\n
mstsc \/v:100.x.y.z<\/code><\/li>\n\n\n\n100.x.y.z<\/code><\/li>\n\n\n\nxfreerdp \/v:100.x.y.z<\/code><\/li>\n<\/ul>\n\n\n\nC) SMB \/ File Shares<\/h3>\n\n\n\n
\n
\\\\100.x.y.z\\Share<\/code><\/li>\n\n\n\nsmb:\/\/100.x.y.z\/Share<\/code><\/li>\n\n\n\nsudo apt install cifs-utils\nsudo mount -t cifs \/\/100.x.y.z\/Share \/mnt\/share -o user=USERNAME\n<\/code><\/pre>\n\n\n\nD) VNC (alternative GUI, cross-platform)<\/h3>\n\n\n\n
\n
100.x.y.z:5900<\/code>.
Note: VNC itself isn\u2019t encrypted, but the Tailscale tunnel is<\/strong>.<\/li>\n<\/ul>\n\n\n\nE) HTTP(S) services \/ Databases<\/h3>\n\n\n\n
\n
nc -vz 100.x.y.z 443 # test HTTPS\nnc -vz 100.x.y.z 5432 # test PostgreSQL\n<\/code><\/pre>\n\n\n\n
\n\n\n\n6) Everyday CLI You\u2019ll Actually Use<\/h2>\n\n\n\n
tailscale status # see who\u2019s online, route type (direct\/derp)\ntailscale ip # show your addresses\ntailscale ping hostname # quick health probe via Tailscale\ntailscale logout # detach this device from the tailnet\ntailscale up --shields-up # block inbound\ntailscale up --advertise-exit-node # make this device an exit node\ntailscale up --exit-node=100.x.y.z # route your internet via that exit node\ntailscale up --advertise-routes=192.168.1.0\/24 # act as subnet router\n<\/code><\/pre>\n\n\n\n
\n\n\n\n7) Features & Options (with where they matter)<\/h2>\n\n\n\n
MagicDNS<\/h3>\n\n\n\n
\n
mybox.tailnet<\/code>).<\/li>\n\n\n\nExit Nodes<\/h3>\n\n\n\n
\n
tailscale up --advertise-exit-node<\/code><\/li>\n\n\n\ntailscale up --exit-node=<IP-or-name><\/code><\/li>\n<\/ul>\n\n\n\nSubnet Routers<\/h3>\n\n\n\n
\n
sudo tailscale up --advertise-routes=10.0.0.0\/24,10.10.0.0\/16\n<\/code><\/pre>\n\n\n\n\n
ACLs (Access Control Lists)<\/h3>\n\n\n\n
\n
hostname:port<\/code> you need.<\/li>\n<\/ul>\n\n\n\nDevice Posture \/ Keys<\/h3>\n\n\n\n
\n
\n\n\n\n8) Security Reality Checks (based on your questions)<\/h2>\n\n\n\n
\n
--shields-up<\/code> if you want local deny-all.<\/li>\n\n\n\n
\n\n\n\n9) Troubleshooting (real issues you hit + quick fixes)<\/h2>\n\n\n\n
A) macOS:
Error: CLI credentials are not available BadResponse<\/code><\/h3>\n\n\n\nsudo<\/code> (root) or the helper wasn\u2019t initialized.<\/p>\n\n\n\n\n
sudo tailscale down || true\nsudo launchctl unload \/Library\/LaunchDaemons\/com.tailscale.tailscaled.plist 2>\/dev\/null || true\n<\/code><\/pre>\n\n\n\n\n
brew install --cask tailscale-app\nopen -a Tailscale\n<\/code><\/pre>\n\n\n\n\n
tailscale up<\/code> without<\/strong> sudo (GUI-install context).<\/li>\n\n\n\nsudo tailscale up --auth-key tskey-XXXXXXXXXXXXXXXX\n<\/code><\/pre>\n\n\n\nB) macOS:
tailscaled: command not found<\/code><\/h3>\n\n\n\n\n
sudo rm -rf \/Applications\/Tailscale.app\nsudo rm -f \/usr\/local\/bin\/tailscale \/usr\/local\/bin\/tailscaled\nbrew uninstall tailscale tailscale-app --force 2>\/dev\/null || true\n\nbrew install --cask tailscale-app\nopen -a Tailscale # initializes helper and CLI shim\ntailscale version\n<\/code><\/pre>\n\n\n\nC) \u201cI see many devices. Can they access me?\u201d<\/h3>\n\n\n\n
\n
tailscale up --shields-up\n<\/code><\/pre>\n\n\n\n\n
D) \u201cPing works but SSH\/RDP doesn\u2019t\u201d<\/h3>\n\n\n\n
\n
sshd<\/code>, RDP enabled).<\/li>\n\n\n\nhostname:port<\/code>.<\/li>\n\n\n\nnc -vz 100.x.y.z 22\n# Windows PowerShell:\nTest-NetConnection -ComputerName 100.x.y.z -Port 3389\n<\/code><\/pre>\n\n\n\nE) \u201cDirect path fails, slow over DERP\u201d<\/h3>\n\n\n\n
\n
F) \u201cCan\u2019t resolve names\u201d<\/h3>\n\n\n\n
\n
\n\n\n\n10) Guided \u201cTwo-Machine\u201d Tutorials (by OS pair)<\/h2>\n\n\n\n
macOS \u2194 Linux (SSH + Ping)<\/h3>\n\n\n\n
tailscale status<\/code>.
From macOS:<\/strong><\/p>\n\n\n\nping 100.a.b.c\nssh user@100.a.b.c\n<\/code><\/pre>\n\n\n\nssh-keygen -t ed25519\nssh-copy-id -i ~\/.ssh\/id_ed25519.pub user@100.a.b.c\nssh user@100.a.b.c\n<\/code><\/pre>\n\n\n\nWindows \u2194 macOS (RDP + SMB)<\/h3>\n\n\n\n
\n
\n
100.x.y.z<\/code> \u2192 connect (RDP).<\/li>\n\n\n\nsmb:\/\/100.x.y.z\/Share<\/code>.<\/li>\n<\/ul>\n\n\n\nWindows \u2194 Linux (RDP from Linux client)<\/h3>\n\n\n\n
On Linux (client):<\/strong><\/p>\n\n\n\n