tailscale-funnel

Expose a local file or directory in the foreground

$ tailscale funnel [path/to/file_or_directory]

$ tailscale funnel 3000

$ tailscale funnel --bg 3000

$ tailscale funnel https+insecure://localhost:8443

tailscale funnel [flags] [port[/tcp|http|https]]

--bg=on|off|toggle
    Control background mode for persistent funnel (default: off)

--clean
    Remove all funnels for this machine

--url
    Print the public funnel URL and exit

-h, --help
    Show command help

The tailscale funnel command enables secure public access to local TCP services running on your machine through Tailscale's Funnel feature. It creates a stable, publicly accessible HTTPS URL (e.g., https://yourname.tailscale.funnel) that proxies traffic to your local port.

Key benefits include zero-config setup (after enabling in Tailscale admin console), automatic HTTPS with valid certificates, DDoS protection, and Tailscale ACL enforcement. Traffic flows: public internet → Tailscale edge → your Tailscale IP → local service.

Use cases: demo web apps, expose SSH temporarily, share dev servers. Requires Tailscale v1.48+, funnel enabled per-user/device in admin console, and tailscaled running with tailscale up. Funnels persist across reboots in background mode (--bg=on).

Security: Public exposure is opt-in; Tailscale verifies ownership. Rate-limited, no direct IP exposure. Stop anytime with --bg=off or --clean.

Requires Tailscale admin approval for funnel; TCP only (HTTP/S for web); public exposure risk — use ACLs; IPv6 local ports unsupported; quota-limited by Tailscale plan.

Tailscale ≥1.48; enable 'Funnel' in admin console; run as non-root.

tailscale funnel 8080/http → https://machine.tailscale.funnel
tailscale funnel --bg=on 8443 for TCP.

Introduced in Tailscale v1.48 (2023) as secure alternative to ngrok/port-forwarding. Evolved with HTTPS auto-detection, ACL integration; widely used for demos/sharing (millions of funnels created).

tailscale(1), tailscale-serve(1), tailscaled(8)