{"slug":"docker-configuration-parameters","title":"Docker configuration parameters","tags":["tailscale","containers"],"agent_summary":"Last validated: Mar 23, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Docker configuration parameters\r\n\r\nLast validated: Mar 23, 2026\r\n\r\nConfiguration parameters are passed as environment variables in your container definition. These parameters control how a Tailscale container authenticates to your tailnet, manages networking, and exposes services.\r\n\r\nYou can use parameters to configure authentication methods, enable features like DNS, metrics, and health checks, advertise routes, or forward traffic to other services. Set these variables in your Docker configuration (such as Docker run, Compose, or Kubernetes manifests) to customize how the container joins and operates within your tailnet.\r\n\r\n## [TS\\_ACCEPT\\_DNS](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_accept_dns)\r\n\r\nAccept [DNS configuration](https://tailscale.com/docs/reference/dns-in-tailscale) from the Tailscale admin console. Defaults to not accepted. Enable this if you want your container to use [MagicDNS](https://tailscale.com/docs/features/magicdns) and custom DNS settings from your tailnet. Without this, the container uses Docker's default DNS configuration.\r\n\r\n## [TS\\_AUDIENCE](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_audience)\r\n\r\nThe audience to use when requesting an ID token from a well-known identity provider for workload identity federation. Use this parameter in environments that support automatic ID token generation, such as GitHub Actions, Google Cloud, or AWS. You must use this with `TS_CLIENT_ID`.\r\nYou cannot use this parameter with `TS_CLIENT_SECRET` or `TS_ID_TOKEN`.\r\n\r\n## [TS\\_AUTH\\_ONCE](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_auth_once)\r\n\r\nControls login behavior. Set to false by default, which forces login every time the container starts. Set `TS_AUTH_ONCE=true` to log in only if the container isn't already authenticated. Use this when you're persisting state and don't want unnecessary re-authentication.\r\n\r\n## [TS\\_AUTHKEY](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_authkey)\r\n\r\nAuthenticates a container to your tailnet. Create an [authentication key](https://tailscale.com/docs/features/access-control/auth-keys) in the Tailscale admin console, then paste it here. This is equivalent to what you would pass to [`tailscale login --auth-key=`](https://tailscale.com/docs/reference/tailscale-cli#login). You can also use an [OAuth client](https://tailscale.com/docs/features/oauth-clients#register-new-nodes-using-oauth-credentials) secret here, but you must provide the associated tag using `TS_EXTRA_ARGS=--advertise-tags=tag:ci`.\r\n\r\nTo mark a containerized node as ephemeral (automatically removed when disconnected), append `?ephemeral=true` to the auth key or OAuth client secret. Use this for temporary containers or CI/CD environments.\r\n\r\nYou cannot use this parameter with `TS_CLIENT_ID`, `TS_CLIENT_SECRET`, `TS_ID_TOKEN`, or `TS_AUDIENCE`.\r\n\r\n## [TS\\_CLIENT\\_ID](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_client_id)\r\n\r\nThe OAuth client ID for authentication. You can use it alone (for example, when an ID token auto-generates in well-known environments like GitHub Actions), with `TS_CLIENT_SECRET` for OAuth authentication, with `TS_ID_TOKEN` for [workload identity federation](https://tailscale.com/docs/features/workload-identity-federation), or with `TS_AUDIENCE` for automatic ID token generation in supported environments.\r\n\r\nIf the value begins with `file:`, Tailscale treats it as a path to a file containing the client ID.\r\n\r\n## [TS\\_CLIENT\\_SECRET](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_client_secret)\r\n\r\nThe OAuth client secret for generating auth keys. You must use this with `TS_CLIENT_ID` for OAuth authentication. If the value begins with `file:`, Tailscale treats it as a path to a file containing the secret. This is more secure than embedding secrets directly in your setup. You cannot use this parameter with `TS_ID_TOKEN` or `TS_AUDIENCE`.\r\n\r\n## [TS\\_DEST\\_IP](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_dest_ip)\r\n\r\nProxies all incoming Tailscale traffic to the specified destination IP.\r\nUse this when you want all traffic that reaches your Tailscale container to forward to a specific service. For example, `TS_DEST_IP=100.0.0.5` sends all traffic to that IP address.\r\n\r\n## [TS\\_ENABLE\\_HEALTH\\_CHECK](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_enable_health_check)\r\n\r\nThis functionality is available in Tailscale 1.78 and later.\r\n\r\nSet to true to enable an unauthenticated `/healthz` endpoint at the address you specify with `TS_LOCAL_ADDR_PORT`. The health check returns `200 OK` if the node has at least one tailnet IP address. Otherwise it returns `503`. Use this for container orchestration health checks.\r\n\r\n## [TS\\_ENABLE\\_METRICS](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_enable_metrics)\r\n\r\nThis functionality is available in Tailscale 1.78 and later.\r\n\r\nSet to true to enable an unauthenticated `/metrics` endpoint at the address you specify with `TS_LOCAL_ADDR_PORT`. Refer to [client metrics](https://tailscale.com/docs/reference/tailscale-client-metrics) for more information about the available metrics. This is useful for monitoring your Tailscale container's performance and connection status.\r\n\r\n## [TS\\_HEALTHCHECK\\_ADDR\\_PORT](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_healthcheck_addr_port)\r\n\r\nThis functionality is deprecated in Tailscale 1.78 and later. Use `TS_ENABLE_HEALTH_CHECK` instead.\r\n\r\n## [TS\\_HOSTNAME](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_hostname)\r\n\r\nSets a custom hostname for your container on the tailnet. Without this, Docker generates a random hostname. This is equivalent to [`tailscale set --hostname=`](https://tailscale.com/docs/reference/tailscale-cli#set). For example, `TS_HOSTNAME=my-dev-database` makes your container accessible at my-dev-database in your tailnet.\r\n\r\n## [TS\\_ID\\_TOKEN](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_id_token)\r\n\r\nThe ID token from the identity provider for [workload identity federation](https://tailscale.com/docs/features/workload-identity-federation). You must use this with `TS_CLIENT_ID`. If the value begins with `file:`, Tailscale treats it as a path to a file containing the token.\r\n\r\nYou cannot use this parameter with `TS_CLIENT_SECRET` or `TS_AUDIENCE`.\r\n\r\n## [TS\\_KUBE\\_SECRET](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_kube_secret)\r\n\r\nIf you're running in Kubernetes, this is the Kubernetes name where Tailscale stores state. Defaults to `tailscale`. If you don't set `TS_AUTHKEY`, and `TS_KUBE_SECRET` contains a secret with an auth key field, Tailscale uses that key as the auth key.\r\n\r\n## [TS\\_LOCAL\\_ADDR\\_PORT](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_local_addr_port)\r\n\r\nThis functionality is available in Tailscale 1.78 and later.\r\n\r\nSpecifies the `[<addr>]:<port>` where Tailscale serves local metrics and health check HTTP endpoints if you enable them through `TS_ENABLE_METRICS` or `TS_ENABLE_HEALTH_CHECK`. Defaults to `[::]:9002` on all available interfaces.\r\n\r\n## [TS\\_OUTBOUND\\_HTTP\\_PROXY\\_LISTEN](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_outbound_http_proxy_listen)\r\n\r\nSets an address and port for the [HTTP proxy](https://tailscale.com/docs/concepts/userspace-networking#socks5-vs-http). Tailscale passes this to `tailscaled --outbound-http-proxy-listen=`. For example, `TS_OUTBOUND_HTTP_PROXY_LISTEN=:8080` creates an HTTP proxy on port `8080`, which is equivalent to `tailscaled --outbound-http-proxy-listen=:8080`.\r\n\r\n## [TS\\_ROUTES](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_routes)\r\n\r\nAdvertises [subnet routes](https://tailscale.com/docs/features/subnet-routers) so other devices in your tailnet can reach networks accessible from this container. This is equivalent to [`tailscale set --advertise-routes=`](https://tailscale.com/docs/reference/tailscale-cli#set). For example, `TS_ROUTES=192.168.1.0/24` lets other tailnet devices access your local network through this container.\r\n\r\nTo accept routes advertised by other nodes, use `TS_EXTRA_ARGS` to pass in `--accept-routes`.\r\n\r\n## [TS\\_SERVE\\_CONFIG](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_serve_config)\r\n\r\nAccepts a JSON file to programmatically configure [Tailscale Serve](https://tailscale.com/docs/reference/tailscale-cli/serve) and [Tailscale Funnel](https://tailscale.com/docs/reference/tailscale-cli/funnel) functionality. Use [`tailscale serve status --json`](https://tailscale.com/docs/reference/tailscale-cli/serve) to export your current configuration in the correct format. If you bind mount this file using a Docker volume, you must mount it as a directory (not an individual file) for Tailscale to correctly detect configuration updates.\r\n\r\n## [TS\\_SOCKET](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_socket)\r\n\r\nThe Unix socket path where the tailscaled LocalAPI socket lives. Defaults to `/var/run/tailscale/tailscaled.sock`. This is equivalent to `tailscaled tailscale --socket=`. You typically don't need to change this unless you have specific socket path requirements.\r\n\r\n## [TS\\_SOCKS5\\_SERVER](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_socks5_server)\r\n\r\nSets an address and port for the [SOCKS5 proxy](https://tailscale.com/docs/concepts/userspace-networking#socks5-vs-http). Tailscale passes this to `tailscaled --socks5-server=`. For example, `TS_SOCKS5_SERVER=:1055` creates a SOCKS5 proxy on port `1055`, which is equivalent to `tailscaled --socks5-server=:1055`.\r\n\r\n## [TS\\_STATE\\_DIR](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_state_dir)\r\n\r\nSpecifies where `tailscaled` stores its state. The `TS_STATE_DIR` volume ensures the container keeps its identity across restarts. Without it, each restart creates a new node in the admin console. This directory must persist across container restarts or your container will appear as a new node each time. Tailscale passes this to `tailscaled --statedir=`. For example, `TS_STATE_DIR=/var/lib/tailscale` stores state in that directory, which you should mount as a volume.\r\n\r\nWhen running on Kubernetes, Tailscale stores state by default in the Kubernetes secret with `name:tailscale`. To store state on local disk instead, set `TS_KUBE_SECRET=\"\"` and `TS_STATE_DIR=/path/to/storage/dir`.\r\n\r\n## [TS\\_TAILNET\\_TARGET\\_FQDN](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_tailnet_target_fqdn)\r\n\r\nProxies all incoming non-Tailscale traffic to the specified tailnet FQDN. Functions like `TS_TAILNET_TARGET_IP` but resolves a MagicDNS name instead of using a static IP. Not compatible with `TS_USERSPACE` mode. Cannot be used together with `TS_TAILNET_TARGET_IP`.\r\n\r\n## [TS\\_TAILNET\\_TARGET\\_IP](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_tailnet_target_ip)\r\n\r\nProxies all incoming non-Tailscale traffic to the specified destination IP within the tailnet. This sets up the container as an egress proxy, forwarding traffic from outside the tailnet to a Tailscale IP. Not compatible with `TS_USERSPACE` mode. Cannot be used together with `TS_TAILNET_TARGET_FQDN`.\r\n\r\n## [TS\\_USERSPACE](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_userspace)\r\n\r\nControls whether to use [userspace networking](https://tailscale.com/docs/concepts/userspace-networking#socks5-vs-http) instead of kernel networking. Enabled by default. This is equivalent to `tailscaled --tun=userspace-networking`.\r\n\r\nUserspace networking works everywhere but has lower performance. Set `TS_USERSPACE=false` to use kernel networking for better speed, but you'll also need to add devices and `cap_add` sections to setup. Kernel networking provides better performance but requires `/dev/net/tun` and additional capabilities.\r\n\r\n## [Extra arguments](https://tailscale.com/docs/features/containers/docker/docker-params\\#extra-arguments)\r\n\r\nThe parameters above cover common Tailscale configurations, but Tailscale supports many additional CLI flags. Use the extra arguments parameters below to pass any flags that don't have dedicated parameters. For example, if you want to advertise your container as an exit node or enable SSH, you can pass those flags through `TS_EXTRA_ARGS` since they don't have specific `TS_` parameters.\r\n\r\n## [TS\\_EXTRA\\_ARGS](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_extra_args)\r\n\r\nPass other Tailscale CLI flags you want to use with the [`tailscale up`](https://tailscale.com/docs/reference/tailscale-cli#up) command. For example, `TS_EXTRA_ARGS=--advertise-exit-node --ssh`.\r\n\r\n## [TS\\_TAILSCALED\\_EXTRA\\_ARGS](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_tailscaled_extra_args)\r\n\r\nPass other Tailscale CLI flags you want to use with the [`tailscaled`](https://tailscale.com/docs/reference/tailscaled#flags-to-tailscaled) command. For example, `TS_TAILSCALED_EXTRA_ARGS=--verbose=2`.\r\n\r\n## [Experimental parameters](https://tailscale.com/docs/features/containers/docker/docker-params\\#experimental-parameters)\r\n\r\n`TS_EXPERIMENTAL` parameters are subject to change and should not be considered as permanently supported.\r\n\r\n## [TS\\_EXPERIMENTAL\\_SERVICE\\_AUTO\\_ADVERTISEMENT](https://tailscale.com/docs/features/containers/docker/docker-params\\#ts_experimental_service_auto_advertisement)\r\n\r\nThis functionality is available in Tailscale v1.96 and later.\r\n\r\nFor `containerboot` instances not running in Kubernetes, this parameter handles the automatic advertisement of any [Tailscale Services](https://tailscale.com/docs/features/tailscale-services) defined in the Serve configuration on startup and un-advertises on shutdown.\r\n\r\nDefaults to `true` but can be disabled to allow user-specific advertisement configuration.\r\n\r\nThis addresses a change in default behavior. Previously, service advertisement had to be enabled manually for each container and did not persist across restarts. This parameter can be used to restore previous behavior for scenarios that require it.\r\n\r\n```shell\r\nTS_EXPERIMENTAL_SERVICE_AUTO_ADVERTISEMENT=false\r\n```\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Docker configuration parameters</h1>\n<p>Last validated: Mar 23, 2026</p>\n<p>Configuration parameters are passed as environment variables in your container definition. These parameters control how a Tailscale container authenticates to your tailnet, manages networking, and exposes services.</p>\n<p>You can use parameters to configure authentication methods, enable features like DNS, metrics, and health checks, advertise routes, or forward traffic to other services. Set these variables in your Docker configuration (such as Docker run, Compose, or Kubernetes manifests) to customize how the container joins and operates within your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_accept_dns\">TS_ACCEPT_DNS</a></h2>\n<p>Accept <a href=\"https://tailscale.com/docs/reference/dns-in-tailscale\">DNS configuration</a> from the Tailscale admin console. Defaults to not accepted. Enable this if you want your container to use <a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a> and custom DNS settings from your tailnet. Without this, the container uses Docker's default DNS configuration.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_audience\">TS_AUDIENCE</a></h2>\n<p>The audience to use when requesting an ID token from a well-known identity provider for workload identity federation. Use this parameter in environments that support automatic ID token generation, such as GitHub Actions, Google Cloud, or AWS. You must use this with <code>TS_CLIENT_ID</code>.\r\nYou cannot use this parameter with <code>TS_CLIENT_SECRET</code> or <code>TS_ID_TOKEN</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_auth_once\">TS_AUTH_ONCE</a></h2>\n<p>Controls login behavior. Set to false by default, which forces login every time the container starts. Set <code>TS_AUTH_ONCE=true</code> to log in only if the container isn't already authenticated. Use this when you're persisting state and don't want unnecessary re-authentication.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_authkey\">TS_AUTHKEY</a></h2>\n<p>Authenticates a container to your tailnet. Create an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">authentication key</a> in the Tailscale admin console, then paste it here. This is equivalent to what you would pass to <a href=\"https://tailscale.com/docs/reference/tailscale-cli#login\"><code>tailscale login --auth-key=</code></a>. You can also use an <a href=\"https://tailscale.com/docs/features/oauth-clients#register-new-nodes-using-oauth-credentials\">OAuth client</a> secret here, but you must provide the associated tag using <code>TS_EXTRA_ARGS=--advertise-tags=tag:ci</code>.</p>\n<p>To mark a containerized node as ephemeral (automatically removed when disconnected), append <code>?ephemeral=true</code> to the auth key or OAuth client secret. Use this for temporary containers or CI/CD environments.</p>\n<p>You cannot use this parameter with <code>TS_CLIENT_ID</code>, <code>TS_CLIENT_SECRET</code>, <code>TS_ID_TOKEN</code>, or <code>TS_AUDIENCE</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_client_id\">TS_CLIENT_ID</a></h2>\n<p>The OAuth client ID for authentication. You can use it alone (for example, when an ID token auto-generates in well-known environments like GitHub Actions), with <code>TS_CLIENT_SECRET</code> for OAuth authentication, with <code>TS_ID_TOKEN</code> for <a href=\"https://tailscale.com/docs/features/workload-identity-federation\">workload identity federation</a>, or with <code>TS_AUDIENCE</code> for automatic ID token generation in supported environments.</p>\n<p>If the value begins with <code>file:</code>, Tailscale treats it as a path to a file containing the client ID.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_client_secret\">TS_CLIENT_SECRET</a></h2>\n<p>The OAuth client secret for generating auth keys. You must use this with <code>TS_CLIENT_ID</code> for OAuth authentication. If the value begins with <code>file:</code>, Tailscale treats it as a path to a file containing the secret. This is more secure than embedding secrets directly in your setup. You cannot use this parameter with <code>TS_ID_TOKEN</code> or <code>TS_AUDIENCE</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_dest_ip\">TS_DEST_IP</a></h2>\n<p>Proxies all incoming Tailscale traffic to the specified destination IP.\r\nUse this when you want all traffic that reaches your Tailscale container to forward to a specific service. For example, <code>TS_DEST_IP=100.0.0.5</code> sends all traffic to that IP address.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_enable_health_check\">TS_ENABLE_HEALTH_CHECK</a></h2>\n<p>This functionality is available in Tailscale 1.78 and later.</p>\n<p>Set to true to enable an unauthenticated <code>/healthz</code> endpoint at the address you specify with <code>TS_LOCAL_ADDR_PORT</code>. The health check returns <code>200 OK</code> if the node has at least one tailnet IP address. Otherwise it returns <code>503</code>. Use this for container orchestration health checks.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_enable_metrics\">TS_ENABLE_METRICS</a></h2>\n<p>This functionality is available in Tailscale 1.78 and later.</p>\n<p>Set to true to enable an unauthenticated <code>/metrics</code> endpoint at the address you specify with <code>TS_LOCAL_ADDR_PORT</code>. Refer to <a href=\"https://tailscale.com/docs/reference/tailscale-client-metrics\">client metrics</a> for more information about the available metrics. This is useful for monitoring your Tailscale container's performance and connection status.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_healthcheck_addr_port\">TS_HEALTHCHECK_ADDR_PORT</a></h2>\n<p>This functionality is deprecated in Tailscale 1.78 and later. Use <code>TS_ENABLE_HEALTH_CHECK</code> instead.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_hostname\">TS_HOSTNAME</a></h2>\n<p>Sets a custom hostname for your container on the tailnet. Without this, Docker generates a random hostname. This is equivalent to <a href=\"https://tailscale.com/docs/reference/tailscale-cli#set\"><code>tailscale set --hostname=</code></a>. For example, <code>TS_HOSTNAME=my-dev-database</code> makes your container accessible at my-dev-database in your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_id_token\">TS_ID_TOKEN</a></h2>\n<p>The ID token from the identity provider for <a href=\"https://tailscale.com/docs/features/workload-identity-federation\">workload identity federation</a>. You must use this with <code>TS_CLIENT_ID</code>. If the value begins with <code>file:</code>, Tailscale treats it as a path to a file containing the token.</p>\n<p>You cannot use this parameter with <code>TS_CLIENT_SECRET</code> or <code>TS_AUDIENCE</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_kube_secret\">TS_KUBE_SECRET</a></h2>\n<p>If you're running in Kubernetes, this is the Kubernetes name where Tailscale stores state. Defaults to <code>tailscale</code>. If you don't set <code>TS_AUTHKEY</code>, and <code>TS_KUBE_SECRET</code> contains a secret with an auth key field, Tailscale uses that key as the auth key.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_local_addr_port\">TS_LOCAL_ADDR_PORT</a></h2>\n<p>This functionality is available in Tailscale 1.78 and later.</p>\n<p>Specifies the <code>[&#x3C;addr>]:&#x3C;port></code> where Tailscale serves local metrics and health check HTTP endpoints if you enable them through <code>TS_ENABLE_METRICS</code> or <code>TS_ENABLE_HEALTH_CHECK</code>. Defaults to <code>[::]:9002</code> on all available interfaces.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_outbound_http_proxy_listen\">TS_OUTBOUND_HTTP_PROXY_LISTEN</a></h2>\n<p>Sets an address and port for the <a href=\"https://tailscale.com/docs/concepts/userspace-networking#socks5-vs-http\">HTTP proxy</a>. Tailscale passes this to <code>tailscaled --outbound-http-proxy-listen=</code>. For example, <code>TS_OUTBOUND_HTTP_PROXY_LISTEN=:8080</code> creates an HTTP proxy on port <code>8080</code>, which is equivalent to <code>tailscaled --outbound-http-proxy-listen=:8080</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_routes\">TS_ROUTES</a></h2>\n<p>Advertises <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routes</a> so other devices in your tailnet can reach networks accessible from this container. This is equivalent to <a href=\"https://tailscale.com/docs/reference/tailscale-cli#set\"><code>tailscale set --advertise-routes=</code></a>. For example, <code>TS_ROUTES=192.168.1.0/24</code> lets other tailnet devices access your local network through this container.</p>\n<p>To accept routes advertised by other nodes, use <code>TS_EXTRA_ARGS</code> to pass in <code>--accept-routes</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_serve_config\">TS_SERVE_CONFIG</a></h2>\n<p>Accepts a JSON file to programmatically configure <a href=\"https://tailscale.com/docs/reference/tailscale-cli/serve\">Tailscale Serve</a> and <a href=\"https://tailscale.com/docs/reference/tailscale-cli/funnel\">Tailscale Funnel</a> functionality. Use <a href=\"https://tailscale.com/docs/reference/tailscale-cli/serve\"><code>tailscale serve status --json</code></a> to export your current configuration in the correct format. If you bind mount this file using a Docker volume, you must mount it as a directory (not an individual file) for Tailscale to correctly detect configuration updates.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_socket\">TS_SOCKET</a></h2>\n<p>The Unix socket path where the tailscaled LocalAPI socket lives. Defaults to <code>/var/run/tailscale/tailscaled.sock</code>. This is equivalent to <code>tailscaled tailscale --socket=</code>. You typically don't need to change this unless you have specific socket path requirements.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_socks5_server\">TS_SOCKS5_SERVER</a></h2>\n<p>Sets an address and port for the <a href=\"https://tailscale.com/docs/concepts/userspace-networking#socks5-vs-http\">SOCKS5 proxy</a>. Tailscale passes this to <code>tailscaled --socks5-server=</code>. For example, <code>TS_SOCKS5_SERVER=:1055</code> creates a SOCKS5 proxy on port <code>1055</code>, which is equivalent to <code>tailscaled --socks5-server=:1055</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_state_dir\">TS_STATE_DIR</a></h2>\n<p>Specifies where <code>tailscaled</code> stores its state. The <code>TS_STATE_DIR</code> volume ensures the container keeps its identity across restarts. Without it, each restart creates a new node in the admin console. This directory must persist across container restarts or your container will appear as a new node each time. Tailscale passes this to <code>tailscaled --statedir=</code>. For example, <code>TS_STATE_DIR=/var/lib/tailscale</code> stores state in that directory, which you should mount as a volume.</p>\n<p>When running on Kubernetes, Tailscale stores state by default in the Kubernetes secret with <code>name:tailscale</code>. To store state on local disk instead, set <code>TS_KUBE_SECRET=\"\"</code> and <code>TS_STATE_DIR=/path/to/storage/dir</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_tailnet_target_fqdn\">TS_TAILNET_TARGET_FQDN</a></h2>\n<p>Proxies all incoming non-Tailscale traffic to the specified tailnet FQDN. Functions like <code>TS_TAILNET_TARGET_IP</code> but resolves a MagicDNS name instead of using a static IP. Not compatible with <code>TS_USERSPACE</code> mode. Cannot be used together with <code>TS_TAILNET_TARGET_IP</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_tailnet_target_ip\">TS_TAILNET_TARGET_IP</a></h2>\n<p>Proxies all incoming non-Tailscale traffic to the specified destination IP within the tailnet. This sets up the container as an egress proxy, forwarding traffic from outside the tailnet to a Tailscale IP. Not compatible with <code>TS_USERSPACE</code> mode. Cannot be used together with <code>TS_TAILNET_TARGET_FQDN</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_userspace\">TS_USERSPACE</a></h2>\n<p>Controls whether to use <a href=\"https://tailscale.com/docs/concepts/userspace-networking#socks5-vs-http\">userspace networking</a> instead of kernel networking. Enabled by default. This is equivalent to <code>tailscaled --tun=userspace-networking</code>.</p>\n<p>Userspace networking works everywhere but has lower performance. Set <code>TS_USERSPACE=false</code> to use kernel networking for better speed, but you'll also need to add devices and <code>cap_add</code> sections to setup. Kernel networking provides better performance but requires <code>/dev/net/tun</code> and additional capabilities.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#extra-arguments\">Extra arguments</a></h2>\n<p>The parameters above cover common Tailscale configurations, but Tailscale supports many additional CLI flags. Use the extra arguments parameters below to pass any flags that don't have dedicated parameters. For example, if you want to advertise your container as an exit node or enable SSH, you can pass those flags through <code>TS_EXTRA_ARGS</code> since they don't have specific <code>TS_</code> parameters.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_extra_args\">TS_EXTRA_ARGS</a></h2>\n<p>Pass other Tailscale CLI flags you want to use with the <a href=\"https://tailscale.com/docs/reference/tailscale-cli#up\"><code>tailscale up</code></a> command. For example, <code>TS_EXTRA_ARGS=--advertise-exit-node --ssh</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_tailscaled_extra_args\">TS_TAILSCALED_EXTRA_ARGS</a></h2>\n<p>Pass other Tailscale CLI flags you want to use with the <a href=\"https://tailscale.com/docs/reference/tailscaled#flags-to-tailscaled\"><code>tailscaled</code></a> command. For example, <code>TS_TAILSCALED_EXTRA_ARGS=--verbose=2</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#experimental-parameters\">Experimental parameters</a></h2>\n<p><code>TS_EXPERIMENTAL</code> parameters are subject to change and should not be considered as permanently supported.</p>\n<h2><a href=\"https://tailscale.com/docs/features/containers/docker/docker-params#ts_experimental_service_auto_advertisement\">TS_EXPERIMENTAL_SERVICE_AUTO_ADVERTISEMENT</a></h2>\n<p>This functionality is available in Tailscale v1.96 and later.</p>\n<p>For <code>containerboot</code> instances not running in Kubernetes, this parameter handles the automatic advertisement of any <a href=\"https://tailscale.com/docs/features/tailscale-services\">Tailscale Services</a> defined in the Serve configuration on startup and un-advertises on shutdown.</p>\n<p>Defaults to <code>true</code> but can be disabled to allow user-specific advertisement configuration.</p>\n<p>This addresses a change in default behavior. Previously, service advertisement had to be enabled manually for each container and did not persist across restarts. This parameter can be used to restore previous behavior for scenarios that require it.</p>\n<pre><code class=\"language-shell\">TS_EXPERIMENTAL_SERVICE_AUTO_ADVERTISEMENT=false\n</code></pre>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}