{"slug":"manage-devices-using-the-web-interface","title":"Manage devices using the web interface","tags":["tailscale","devices"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Manage devices using the web interface\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nThe web interface is a browser-based GUI available on all machines running the desktop platform of the Tailscale client, including Linux, macOS, and Windows. This lets you configure settings without needing to use the [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli) or to configure settings on a device that does not have a built-in GUI.\r\n\r\nA device must have Tailscale v1.56.0 or later installed to access its web interface. As of v1.64.0, the web interface runs on [`100.100.100.100`](https://tailscale.com/docs/reference/quad100) by default.\r\n\r\nThe web interface runs locally over `100.100.100.100` by default, and can also be exposed to your tailnet over `<tailscaleIP>:5252`.\r\n\r\n## [Expose the web interface on a device](https://tailscale.com/docs/features/client/device-web-interface\\#expose-the-web-interface-on-a-device)\r\n\r\nBefore accessing the web interface over `<tailscaleIP>:5252`, you must enable it using the Tailscale CLI in a terminal session.\r\n\r\nTo expose the web interface in foreground mode, open a terminal session on the device and run [`tailscale web`](https://tailscale.com/docs/reference/tailscale-cli#web). When you close the terminal session or press `Ctrl` \\+ `C`, the web interface will no longer be exposed to your tailnet.\r\n\r\nTo expose the web interface persistently in the background, open a terminal session on the device and run [`tailscale set --webclient`](https://tailscale.com/docs/reference/tailscale-cli#set).\r\n\r\nYour [tailnet policy file](https://tailscale.com/docs/reference/glossary#tailnet-policy-file) manages access to the web interface.\r\n\r\n`tailscale set --webclient` also turns on the web interface locally over `100.100.100.100` for Tailscale v1.62.0 or earlier. For clients v1.64.0 or newer, the web interface runs locally over `100.100.100.100` by default.\r\n\r\n## [Open and authenticate to the web interface](https://tailscale.com/docs/features/client/device-web-interface\\#open-and-authenticate-to-the-web-interface)\r\n\r\nFrom your web browser, use one of the following methods to access the web interface for a device in your tailnet:\r\n\r\n- Go to [`100.100.100.100`](https://tailscale.com/docs/reference/quad100) to access the web interface on the device you are currently using\r\n- Go to `<tailscaleIP>:5252` to access the web interface on another device, where `tailscaleIP` is the address for the device. This can only be done if the viewing user has access to port 5252 on the destination as permitted in your [tailnet policy file](https://tailscale.com/docs/reference/glossary#tailnet-policy-file).\r\n- Go to `localhost:8080`, or the address and port provided to `tailscale web` from the device running the web interface.\r\n- Some platforms, including Synology, expose the web interface over the LAN through their management console.\r\n\r\nWhen you initially visit the web interface from a browser, you are always accessing it in the read-only mode, for security reasons. Anyone with access to the page can access the read-only page of the web interface. From here you can access metadata about the device, including its IP address, by selecting **View device details**.\r\n\r\nTo change device settings in the web interface, you must complete a check mode authentication step. Select your profile photo in the upper right, select **Sign in**, and then complete the authentication flow.\r\n\r\nRefer to [Control remote access](https://tailscale.com/use-cases/remote-access) for how to limit who can access the web interface for a device.\r\n\r\n## [Disable the web interface on a device](https://tailscale.com/docs/features/client/device-web-interface\\#disable-the-web-interface-on-a-device)\r\n\r\nThere are three ways to disable the web interface on a device.\r\n\r\n**Option 1**: Disable access for non-local users only, by running the following [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli) command:\r\n\r\n```shell\r\ntailscale set --webclient=false\r\n```\r\n\r\n**Option 2**: Disable access for both local and non-local users, by adding the following tailnet policy file entry:\r\n\r\n```json\r\n\"nodeAttrs\": [\\\r\n  {\\\r\n    \"target\": [\"autogroup:member\"],\\\r\n    \"attr\":   [\"disable-web-client\"],\\\r\n  },\\\r\n],\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n**Option 3**: Disconnect or remove the device from your tailnet.\r\n\r\n## [Control remote access](https://tailscale.com/docs/features/client/device-web-interface\\#control-remote-access)\r\n\r\n### [Grant read-only access](https://tailscale.com/docs/features/client/device-web-interface\\#grant-read-only-access)\r\n\r\nAny user in your tailnet, or any user with whom the device has been shared, with access to the device's port 5252 will be able to access its web interface. To limit read access, limit who has access to the device's port 5252 in the policy. For example:\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    // Allow access only to users' own web interfaces.\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"autogroup:member\"],\\\r\n      \"dst\": [\"autogroup:self:5252\"]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nor, using the new [grants](https://tailscale.com/docs/features/access-control/grants) syntax:\r\n\r\n```json\r\n{\r\n  \"grants\": [\\\r\n    // Allow access only to users' own web interfaces.\\\r\n    {\\\r\n      \"src\": [\"autogroup:member\"],\\\r\n      \"dst\": [\"autogroup:self\"],\\\r\n      \"ip\": [\"5252\"]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n## [Grant management access](https://tailscale.com/docs/features/client/device-web-interface\\#grant-management-access)\r\n\r\nIf the device is user-owned (not [tagged](https://tailscale.com/docs/features/tags)), only the owner is able to manage settings on the device using the Tailscale web interface. Additional users cannot be granted management access by changing the [tailnet policy file](https://tailscale.com/docs/reference/glossary#tailnet-policy-file).\r\n\r\nIf the device is [tagged](https://tailscale.com/docs/features/tags), users can be granted access to manage parts of the Tailscale web interface using [grants](https://tailscale.com/docs/features/access-control/grants). Use the `canEdit` list of the `\"tailscale.com/cap/webui\"` app to define what users are allowed to manage. The supported `canEdit` values are:\r\n\r\n- `*` Grants management access for all current and future web interface features\r\n- `ssh` Grants management access for Tailscale SSH\r\n- `subnets` Grants management access for subnet routes\r\n- `exitNodes` Grants management access for exit nodes including the ability to advertise the device as an exit node and use other exit nodes\r\n- `account` Grants management access for account settings including the ability to log out of node and turn on auto-updates\r\n\r\nFor example:\r\n\r\n```json\r\n{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"user@example.com\"],\\\r\n      \"dst\": [\"tag:dev\"],\\\r\n      \"ip\": [\"5252\"],\\\r\n      \"app\": {\\\r\n        \"tailscale.com/cap/webui\": [\\\r\n          {\\\r\n            // Grants user@example.com edit access to \"tag:dev\" devices' web interfaces.\\\r\n            \"canEdit\": [\"ssh\", \"subnets\"]\\\r\n          }\\\r\n        ]\\\r\n      }\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nAnyone with management access to a device's web interface, whether tagged or user-owned, will be required to log into the web interface and complete a check mode authentication step to verify their identity before being able to actually change device settings. Check mode also requires that the user be connecting from a Tailscale device of which they are the owner (not from a tagged device).\r\n\r\nTagged device grants for the web interface were added for devices using Tailscale v1.62.0 and later. For any tagged devices running a version less than v1.62.0, access control policies alone give users the ability to manage the tagged device from the web interface.\r\n\r\n## [Features](https://tailscale.com/docs/features/client/device-web-interface\\#features)\r\n\r\nThe web interface lets you configure the Tailscale settings for a device. Not all features are available on every platform. When a feature is not supported for a platform, it will not appear in that device's web interface.\r\n\r\n### [Enable exit nodes](https://tailscale.com/docs/features/client/device-web-interface\\#enable-exit-nodes)\r\n\r\nTo select an [exit node](https://tailscale.com/docs/features/exit-nodes) to route the device through, go to **This device**, select **Exit node**, then select the exit node you want to use. To stop using the exit node, select **Disable**.\r\n\r\nTo advertise the device as an exit node, go to **This device**, select **Exit node**, then select **Run as exit node**. To stop advertising the device as an exit node, select **Disable**.\r\n\r\n### [Enable a subnet router](https://tailscale.com/docs/features/client/device-web-interface\\#enable-a-subnet-router)\r\n\r\nConfiguring a device as a [subnet router](https://tailscale.com/docs/features/subnet-routers) lets you remotely access resources on your network that may not have Tailscale installed, such as a printer.\r\n\r\nTo use the device as a subnet router, go to **Settings** and select **Subnet router** drop-down. In the text field, enter the combined IP address and subnet mask (CIDR) you want to advertise to your tailnet and select **Advertise routes**. You can enter multiple subnets by separating them with commas. To stop advertising routes, select **Stop advertising** next to the route.\r\n\r\nIf your advertised routes are pending approval, you can [enable subnet routes](https://tailscale.com/docs/features/subnet-routers#enable-subnet-routes-from-the-admin-console) from the admin console.\r\n\r\n### [Enable Tailscale SSH](https://tailscale.com/docs/features/client/device-web-interface\\#enable-tailscale-ssh)\r\n\r\nTo enable [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh) on the device, go to **Settings**, select **Tailscale SSH server**, then turn the toggle on. To disable the Tailscale SSH server, turn the toggle off.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Manage devices using the web interface</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>The web interface is a browser-based GUI available on all machines running the desktop platform of the Tailscale client, including Linux, macOS, and Windows. This lets you configure settings without needing to use the <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a> or to configure settings on a device that does not have a built-in GUI.</p>\n<p>A device must have Tailscale v1.56.0 or later installed to access its web interface. As of v1.64.0, the web interface runs on <a href=\"https://tailscale.com/docs/reference/quad100\"><code>100.100.100.100</code></a> by default.</p>\n<p>The web interface runs locally over <code>100.100.100.100</code> by default, and can also be exposed to your tailnet over <code>&#x3C;tailscaleIP>:5252</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/client/device-web-interface#expose-the-web-interface-on-a-device\">Expose the web interface on a device</a></h2>\n<p>Before accessing the web interface over <code>&#x3C;tailscaleIP>:5252</code>, you must enable it using the Tailscale CLI in a terminal session.</p>\n<p>To expose the web interface in foreground mode, open a terminal session on the device and run <a href=\"https://tailscale.com/docs/reference/tailscale-cli#web\"><code>tailscale web</code></a>. When you close the terminal session or press <code>Ctrl</code> + <code>C</code>, the web interface will no longer be exposed to your tailnet.</p>\n<p>To expose the web interface persistently in the background, open a terminal session on the device and run <a href=\"https://tailscale.com/docs/reference/tailscale-cli#set\"><code>tailscale set --webclient</code></a>.</p>\n<p>Your <a href=\"https://tailscale.com/docs/reference/glossary#tailnet-policy-file\">tailnet policy file</a> manages access to the web interface.</p>\n<p><code>tailscale set --webclient</code> also turns on the web interface locally over <code>100.100.100.100</code> for Tailscale v1.62.0 or earlier. For clients v1.64.0 or newer, the web interface runs locally over <code>100.100.100.100</code> by default.</p>\n<h2><a href=\"https://tailscale.com/docs/features/client/device-web-interface#open-and-authenticate-to-the-web-interface\">Open and authenticate to the web interface</a></h2>\n<p>From your web browser, use one of the following methods to access the web interface for a device in your tailnet:</p>\n<ul>\n<li>Go to <a href=\"https://tailscale.com/docs/reference/quad100\"><code>100.100.100.100</code></a> to access the web interface on the device you are currently using</li>\n<li>Go to <code>&#x3C;tailscaleIP>:5252</code> to access the web interface on another device, where <code>tailscaleIP</code> is the address for the device. This can only be done if the viewing user has access to port 5252 on the destination as permitted in your <a href=\"https://tailscale.com/docs/reference/glossary#tailnet-policy-file\">tailnet policy file</a>.</li>\n<li>Go to <code>localhost:8080</code>, or the address and port provided to <code>tailscale web</code> from the device running the web interface.</li>\n<li>Some platforms, including Synology, expose the web interface over the LAN through their management console.</li>\n</ul>\n<p>When you initially visit the web interface from a browser, you are always accessing it in the read-only mode, for security reasons. Anyone with access to the page can access the read-only page of the web interface. From here you can access metadata about the device, including its IP address, by selecting <strong>View device details</strong>.</p>\n<p>To change device settings in the web interface, you must complete a check mode authentication step. Select your profile photo in the upper right, select <strong>Sign in</strong>, and then complete the authentication flow.</p>\n<p>Refer to <a href=\"https://tailscale.com/use-cases/remote-access\">Control remote access</a> for how to limit who can access the web interface for a device.</p>\n<h2><a href=\"https://tailscale.com/docs/features/client/device-web-interface#disable-the-web-interface-on-a-device\">Disable the web interface on a device</a></h2>\n<p>There are three ways to disable the web interface on a device.</p>\n<p><strong>Option 1</strong>: Disable access for non-local users only, by running the following <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a> command:</p>\n<pre><code class=\"language-shell\">tailscale set --webclient=false\n</code></pre>\n<p><strong>Option 2</strong>: Disable access for both local and non-local users, by adding the following tailnet policy file entry:</p>\n<pre><code class=\"language-json\">\"nodeAttrs\": [\\\r\n  {\\\r\n    \"target\": [\"autogroup:member\"],\\\r\n    \"attr\":   [\"disable-web-client\"],\\\r\n  },\\\r\n],\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p><strong>Option 3</strong>: Disconnect or remove the device from your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/features/client/device-web-interface#control-remote-access\">Control remote access</a></h2>\n<h3><a href=\"https://tailscale.com/docs/features/client/device-web-interface#grant-read-only-access\">Grant read-only access</a></h3>\n<p>Any user in your tailnet, or any user with whom the device has been shared, with access to the device's port 5252 will be able to access its web interface. To limit read access, limit who has access to the device's port 5252 in the policy. For example:</p>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    // Allow access only to users' own web interfaces.\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"autogroup:member\"],\\\r\n      \"dst\": [\"autogroup:self:5252\"]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>or, using the new <a href=\"https://tailscale.com/docs/features/access-control/grants\">grants</a> syntax:</p>\n<pre><code class=\"language-json\">{\r\n  \"grants\": [\\\r\n    // Allow access only to users' own web interfaces.\\\r\n    {\\\r\n      \"src\": [\"autogroup:member\"],\\\r\n      \"dst\": [\"autogroup:self\"],\\\r\n      \"ip\": [\"5252\"]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h2><a href=\"https://tailscale.com/docs/features/client/device-web-interface#grant-management-access\">Grant management access</a></h2>\n<p>If the device is user-owned (not <a href=\"https://tailscale.com/docs/features/tags\">tagged</a>), only the owner is able to manage settings on the device using the Tailscale web interface. Additional users cannot be granted management access by changing the <a href=\"https://tailscale.com/docs/reference/glossary#tailnet-policy-file\">tailnet policy file</a>.</p>\n<p>If the device is <a href=\"https://tailscale.com/docs/features/tags\">tagged</a>, users can be granted access to manage parts of the Tailscale web interface using <a href=\"https://tailscale.com/docs/features/access-control/grants\">grants</a>. Use the <code>canEdit</code> list of the <code>\"tailscale.com/cap/webui\"</code> app to define what users are allowed to manage. The supported <code>canEdit</code> values are:</p>\n<ul>\n<li><code>*</code> Grants management access for all current and future web interface features</li>\n<li><code>ssh</code> Grants management access for Tailscale SSH</li>\n<li><code>subnets</code> Grants management access for subnet routes</li>\n<li><code>exitNodes</code> Grants management access for exit nodes including the ability to advertise the device as an exit node and use other exit nodes</li>\n<li><code>account</code> Grants management access for account settings including the ability to log out of node and turn on auto-updates</li>\n</ul>\n<p>For example:</p>\n<pre><code class=\"language-json\">{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"user@example.com\"],\\\r\n      \"dst\": [\"tag:dev\"],\\\r\n      \"ip\": [\"5252\"],\\\r\n      \"app\": {\\\r\n        \"tailscale.com/cap/webui\": [\\\r\n          {\\\r\n            // Grants user@example.com edit access to \"tag:dev\" devices' web interfaces.\\\r\n            \"canEdit\": [\"ssh\", \"subnets\"]\\\r\n          }\\\r\n        ]\\\r\n      }\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>Anyone with management access to a device's web interface, whether tagged or user-owned, will be required to log into the web interface and complete a check mode authentication step to verify their identity before being able to actually change device settings. Check mode also requires that the user be connecting from a Tailscale device of which they are the owner (not from a tagged device).</p>\n<p>Tagged device grants for the web interface were added for devices using Tailscale v1.62.0 and later. For any tagged devices running a version less than v1.62.0, access control policies alone give users the ability to manage the tagged device from the web interface.</p>\n<h2><a href=\"https://tailscale.com/docs/features/client/device-web-interface#features\">Features</a></h2>\n<p>The web interface lets you configure the Tailscale settings for a device. Not all features are available on every platform. When a feature is not supported for a platform, it will not appear in that device's web interface.</p>\n<h3><a href=\"https://tailscale.com/docs/features/client/device-web-interface#enable-exit-nodes\">Enable exit nodes</a></h3>\n<p>To select an <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit node</a> to route the device through, go to <strong>This device</strong>, select <strong>Exit node</strong>, then select the exit node you want to use. To stop using the exit node, select <strong>Disable</strong>.</p>\n<p>To advertise the device as an exit node, go to <strong>This device</strong>, select <strong>Exit node</strong>, then select <strong>Run as exit node</strong>. To stop advertising the device as an exit node, select <strong>Disable</strong>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/client/device-web-interface#enable-a-subnet-router\">Enable a subnet router</a></h3>\n<p>Configuring a device as a <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet router</a> lets you remotely access resources on your network that may not have Tailscale installed, such as a printer.</p>\n<p>To use the device as a subnet router, go to <strong>Settings</strong> and select <strong>Subnet router</strong> drop-down. In the text field, enter the combined IP address and subnet mask (CIDR) you want to advertise to your tailnet and select <strong>Advertise routes</strong>. You can enter multiple subnets by separating them with commas. To stop advertising routes, select <strong>Stop advertising</strong> next to the route.</p>\n<p>If your advertised routes are pending approval, you can <a href=\"https://tailscale.com/docs/features/subnet-routers#enable-subnet-routes-from-the-admin-console\">enable subnet routes</a> from the admin console.</p>\n<h3><a href=\"https://tailscale.com/docs/features/client/device-web-interface#enable-tailscale-ssh\">Enable Tailscale SSH</a></h3>\n<p>To enable <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a> on the device, go to <strong>Settings</strong>, select <strong>Tailscale SSH server</strong>, then turn the toggle on. To disable the Tailscale SSH server, turn the toggle off.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}