tailscale-up

Connect to Tailscale

$ tailscale up

$ tailscale up --advertise-exit-node

$ tailscale up --exit-node [exit_node_ip]

$ tailscale up --shields-up

$ tailscale up --accept-dns=false

$ tailscale up --advertise-routes [10.0.0.0/24,10.0.1.0/24,...]

$ tailscale up --accept-routes

$ tailscale up --reset

tailscale up [flags]

The tailscale up command initiates or updates the Tailscale connection on the current device. It accepts various flags to control authentication methods, network configuration, and feature enablement.

--accept-dns
    Allows the node to accept and use DNS configurations pushed from the Tailscale coordination server.

--accept-routes
    Enables the node to accept and route traffic for subnets advertised by other Tailscale nodes.

--advertise-exit-node
    Advertises this node as an exit node, allowing other Tailscale nodes to route their internet traffic through it.

--advertise-routes
    Advertises specific IP routes (subnets) from this node into the Tailscale network.

--authkey
    Uses a pre-generated authentication key for unattended, non-interactive device registration.

--browser
    Opens a web browser for interactive authentication if required.

--exit-node
    Routes all internet traffic from this device through a specified exit node on your tailnet.

--exit-node-allow-lan-access
    When using an exit node, allows access to the local LAN (private IP ranges) in addition to routing internet traffic through the exit node.

--force-reauth
    Forces a re-authentication process, even if the device is already logged in.

--funnel
    Enables the Tailscale Funnel service on this node, allowing public internet access to specific services running on it.

--hostname
    Sets a custom hostname for this node within your Tailscale network.

--qr
    Displays a QR code in the terminal for authentication via the Tailscale mobile app.

--reset
    Resets the Tailscale configuration on the device before bringing it up again.

--shields-up
    Applies a default firewall policy that blocks all incoming connections from outside the Tailscale network, except from other Tailscale nodes.

--ssh
    Enables Tailscale SSH on this node, allowing SSH access over the Tailscale network.

--tags
    Assigns tags to the node during registration, which can be used for ACLs (Access Control Lists).

--unattended
    Runs tailscale up in unattended mode, suppressing browser launches and requiring an authkey.

--wait-engine
    Waits for the Tailscale engine to be ready before the command completes.

tailscale up is the primary command used to bring a device onto your Tailscale network (tailnet). When executed, it initializes the Tailscale client, establishes a secure connection to the Tailscale coordination server, and configures the device's networking using WireGuard to enable peer-to-peer connectivity with other nodes in your tailnet.

The command typically requires authentication, which can be performed via a web browser (opened automatically or via QR code), or by using an authentication key (--authkey) for unattended deployments. It handles network configuration, including assigning an IP address from your tailnet, setting up DNS, and applying firewall rules.

tailscale up is idempotent; running it multiple times will re-apply the configuration, making it useful for applying changes or re-authenticating. It's often the first Tailscale command executed after installation or when adding a new device to your private network.

Root/Administrator Privileges: The command generally requires root or administrator privileges to configure network interfaces and routing tables.

Network Connectivity: An active internet connection is necessary for the initial connection to Tailscale's coordination servers.

Authentication: Initial setup often requires interactive authentication via a web browser or QR code, unless an --authkey is provided.

Firewall Interactions: Tailscale configures its own firewall rules (e.g., with --shields-up). Existing system firewalls might need adjustments to allow Tailscale's WireGuard traffic (UDP port 41641) if explicitly blocked.

Persistent Configuration: While tailscale up configures the current session, many settings are persistent across reboots or service restarts. However, some flags like --authkey are for one-time registration and not persistent configuration.

Many tailscale up flags (e.g., --accept-routes, --advertise-routes, --hostname, --ssh, --shields-up) configure persistent settings for the Tailscale daemon. Once set, these configurations typically persist across reboots and tailscale up calls, unless explicitly overridden by subsequent commands or a --reset.

When tailscale up is run without an --authkey on a new device, it generates a unique URL. This URL must be opened in a web browser on a device where you are already logged into your Tailscale account to authorize the new node. This secure, interactive authentication process links the device to your tailnet. Flags like --qr and --browser provide alternative methods for this interactive flow.

Tailscale, founded in 2019, built its network overlay solution on top of WireGuard. The tailscale up command has been a fundamental part of its client interface since the very beginning, serving as the primary method for users to bring a new device onto their secure network. Over time, as Tailscale introduced new features like exit nodes, subnet routing, SSH, and Funnel, the tailscale up command has evolved to incorporate flags for enabling and configuring these capabilities, reflecting the growing power and flexibility of the Tailscale platform while maintaining its core purpose of simple, secure connectivity.

tailscale(8), tailscale status(8), tailscale logout(8), tailscale ip(8), wg(8), ip(8)