{"slug":"setting-up-a-server-on-your-tailscale-network","title":"Setting up a server on your Tailscale network","tags":["tailscale","networking"],"agent_summary":"Last validated: Dec 4, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Setting up a server on your Tailscale network\r\n\r\nLast validated: Dec 4, 2025\r\n\r\nIf you're setting up servers on Tailscale, we recommend you use an [auth key](https://tailscale.com/docs/features/access-control/auth-keys) to provision the server, and a [tag](https://tailscale.com/docs/features/tags) to restrict its access. You can also set up [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh) to access your servers.\r\n\r\nHere's how to set up a server in Tailscale:\r\n\r\n1. Create a new [tag](https://tailscale.com/docs/features/tags) in your tailnet for the type of shared resource you are managing. For example, you can use the tag `server` for your servers, `prod` or `test` for your environments, and `front-end` for grouping of other resources that you maintain.\r\n\r\nTo create a tag, modify the [tailnet policy file](https://tailscale.com/docs/features/access-control/acls) to specify the owner of the tag, which is the team or user who can use that tag. You can use an existing tag for all servers. If you're also setting up Tailscale SSH, we recommend using a new tag.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```json\r\n{\r\n     \"tagOwners\": {\r\n       \"tag:server\": [\"alice@example.com\"]\r\n     }\r\n}\r\n```\r\n\r\n\r\n\r\n\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n2. Write [access rules](https://tailscale.com/docs/reference/syntax/policy-file#acls) in the tailnet policy file which:\r\n\r\n\r\n   - Allow the desired sources to reach the tagged resources\r\n   - If you're also setting up Tailscale SSH, allow the desired sources to reach the tagged resources using Tailscale SSH\r\n\r\n```json\r\n{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"group:sre\"],\\\r\n      \"dst\": [\"tag:server\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    }\\\r\n  ],\r\n  \"ssh\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"group:sre\"],\\\r\n      \"dst\": [\"tag:server\"],\\\r\n      \"users\": [\"ubuntu\", \"root\"]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n3. Generate an [authentication key](https://tailscale.com/docs/features/access-control/auth-keys) to automatically connect servers to your network. Select the tag or tags you wish to use for your servers as part of this auth key.\r\n\r\n\r\n   - If you're authenticating more than one server, use a reusable auth key. Or, for long-lived auth keys, set up an [OAuth client with the scope `auth_keys`](https://tailscale.com/docs/features/oauth-clients#generating-long-lived-auth-keys).\r\n   - If you're authenticating ephemeral workloads like containers or functions, use an ephemeral key.\r\n   - If your tailnet has [device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval) enabled, and you only intend to use that to approve end-user devices, use a pre-authorized auth key.\r\n\r\n![Tailscale's auth key generation page](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgenerate-auth-key.a0369d5c.png&w=750&q=75)\r\n\r\nThe **Pre-approved** option will only display in the dialog if [device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval) is enabled in your Tailscale network.\r\n\r\nCurrently, if your client node is provisioned with an [authentication key](https://tailscale.com/docs/features/access-control/auth-keys), you cannot use [check mode](https://tailscale.com/docs/features/tailscale-ssh#check-mode) when\r\nestablishing a Tailscale SSH connection using the node as a source.\r\n\r\n4. When you provision a new server, [install](https://tailscale.com/download) and connect to Tailscale manually or as part of your automation tooling. Make sure to specify the auth key including the tags you want, and to enable Tailscale SSH.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale up --auth-key=$TS_AUTHKEY\r\n```\r\n\r\n\r\n\r\nIf you want to specify a particular machine name for your server to use with [MagicDNS](https://tailscale.com/docs/features/magicdns), then also specify `--hostname`:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale up --auth-key=$TS_AUTHKEY --hostname=$TS_HOSTNAME\r\n```\r\n\r\n\r\n\r\nIf the auth key was not generated with tags, then also specify `--advertise-tags`:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale up --auth-key=$TS_AUTHKEY --advertise-tags=<tags>\r\n```\r\n\r\n\r\n\r\nIf you want to enable Tailscale SSH, then also specify `--ssh`:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale up --auth-key=$TS_AUTHKEY --ssh\r\n```\r\n\r\n5. To access your servers over Tailscale, you can connect to them like any other device in your tailnet.\r\n\r\nIf you have Tailscale SSH set up, you can connect to your severs using [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh) or [Tailscale SSH Console](https://tailscale.com/docs/features/tailscale-ssh/tailscale-ssh-console).\r\n\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Setting up a server on your Tailscale network</h1>\n<p>Last validated: Dec 4, 2025</p>\n<p>If you're setting up servers on Tailscale, we recommend you use an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth key</a> to provision the server, and a <a href=\"https://tailscale.com/docs/features/tags\">tag</a> to restrict its access. You can also set up <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a> to access your servers.</p>\n<p>Here's how to set up a server in Tailscale:</p>\n<ol>\n<li>Create a new <a href=\"https://tailscale.com/docs/features/tags\">tag</a> in your tailnet for the type of shared resource you are managing. For example, you can use the tag <code>server</code> for your servers, <code>prod</code> or <code>test</code> for your environments, and <code>front-end</code> for grouping of other resources that you maintain.</li>\n</ol>\n<p>To create a tag, modify the <a href=\"https://tailscale.com/docs/features/access-control/acls\">tailnet policy file</a> to specify the owner of the tag, which is the team or user who can use that tag. You can use an existing tag for all servers. If you're also setting up Tailscale SSH, we recommend using a new tag.</p>\n<pre><code class=\"language-json\">{\r\n     \"tagOwners\": {\r\n       \"tag:server\": [\"alice@example.com\"]\r\n     }\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<ol start=\"2\">\n<li>\n<p>Write <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#acls\">access rules</a> in the tailnet policy file which:</p>\n<ul>\n<li>Allow the desired sources to reach the tagged resources</li>\n<li>If you're also setting up Tailscale SSH, allow the desired sources to reach the tagged resources using Tailscale SSH</li>\n</ul>\n</li>\n</ol>\n<pre><code class=\"language-json\">{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"group:sre\"],\\\r\n      \"dst\": [\"tag:server\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    }\\\r\n  ],\r\n  \"ssh\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"group:sre\"],\\\r\n      \"dst\": [\"tag:server\"],\\\r\n      \"users\": [\"ubuntu\", \"root\"]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<ol start=\"3\">\n<li>\n<p>Generate an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">authentication key</a> to automatically connect servers to your network. Select the tag or tags you wish to use for your servers as part of this auth key.</p>\n<ul>\n<li>If you're authenticating more than one server, use a reusable auth key. Or, for long-lived auth keys, set up an <a href=\"https://tailscale.com/docs/features/oauth-clients#generating-long-lived-auth-keys\">OAuth client with the scope <code>auth_keys</code></a>.</li>\n<li>If you're authenticating ephemeral workloads like containers or functions, use an ephemeral key.</li>\n<li>If your tailnet has <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">device approval</a> enabled, and you only intend to use that to approve end-user devices, use a pre-authorized auth key.</li>\n</ul>\n</li>\n</ol>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgenerate-auth-key.a0369d5c.png&#x26;w=750&#x26;q=75\" alt=\"Tailscale&#x27;s auth key generation page\"></p>\n<p>The <strong>Pre-approved</strong> option will only display in the dialog if <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">device approval</a> is enabled in your Tailscale network.</p>\n<p>Currently, if your client node is provisioned with an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">authentication key</a>, you cannot use <a href=\"https://tailscale.com/docs/features/tailscale-ssh#check-mode\">check mode</a> when\r\nestablishing a Tailscale SSH connection using the node as a source.</p>\n<ol start=\"4\">\n<li>When you provision a new server, <a href=\"https://tailscale.com/download\">install</a> and connect to Tailscale manually or as part of your automation tooling. Make sure to specify the auth key including the tags you want, and to enable Tailscale SSH.</li>\n</ol>\n<pre><code class=\"language-shell\">tailscale up --auth-key=$TS_AUTHKEY\n</code></pre>\n<p>If you want to specify a particular machine name for your server to use with <a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a>, then also specify <code>--hostname</code>:</p>\n<pre><code class=\"language-shell\">tailscale up --auth-key=$TS_AUTHKEY --hostname=$TS_HOSTNAME\n</code></pre>\n<p>If the auth key was not generated with tags, then also specify <code>--advertise-tags</code>:</p>\n<pre><code class=\"language-shell\">tailscale up --auth-key=$TS_AUTHKEY --advertise-tags=&#x3C;tags>\n</code></pre>\n<p>If you want to enable Tailscale SSH, then also specify <code>--ssh</code>:</p>\n<pre><code class=\"language-shell\">tailscale up --auth-key=$TS_AUTHKEY --ssh\n</code></pre>\n<ol start=\"5\">\n<li>To access your servers over Tailscale, you can connect to them like any other device in your tailnet.</li>\n</ol>\n<p>If you have Tailscale SSH set up, you can connect to your severs using <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a> or <a href=\"https://tailscale.com/docs/features/tailscale-ssh/tailscale-ssh-console\">Tailscale SSH Console</a>.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}