{"slug":"tailscale-daemon-configuration-file","title":"Tailscale daemon configuration file","tags":["tailscale","file-sharing"],"agent_summary":"Last validated: Jan 8, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Tailscale daemon configuration file\r\n\r\nLast validated: Jan 8, 2026\r\n\r\nThe `tailscaled` configuration file support is in alpha and the schema might change in future releases. Tailscale intends to preserve compatibility with earlier versions when possible. If breaking changes occur, a new version designation will be used.\r\n\r\nYou can configure the [Tailscale daemon](https://tailscale.com/docs/reference/tailscaled) (`tailscaled`) using a JSON configuration file instead of command-line flags passed to the [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli). This approach is useful for headless deployments, containers, Kubernetes, and [infrastructure-as-code workflows](https://tailscale.com/docs/integration-infrastructure-as-code).\r\n\r\n## [Basic usage](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#basic-usage)\r\n\r\nThe `tailscaled` configuration file only requires you to set the `version` field manually. The following example shows a minimal configuration example:\r\n\r\n```json\r\n{\r\n  \"version\": \"alpha0\",\r\n  \"authKey\": \"tskey-auth-example-XXXXX\",\r\n  \"hostname\": \"my-server\",\r\n  \"acceptRoutes\": true\r\n}\r\n```\r\n\r\nTo start `tailscaled` with a configuration file, use the `--config` flag:\r\n\r\n```shell\r\ntailscaled --config=/etc/tailscale/config.json\r\n```\r\n\r\nThe Tailscale daemon does not automatically discover configuration files. You must specify the path explicitly using the `--config` flag.\r\n\r\n## [Configuration options](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#configuration-options)\r\n\r\nThe configuration file uses JSON or [HuJSON](https://github.com/tailscale/hujson) format. The following tables describe all available options. This section organizes all configuration options by category.\r\n\r\n### [Required options](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#required-options)\r\n\r\nThe `version` field is the only required option because all other necessary options have default values. If you omit optional fields, the Tailscale daemon uses the default values.\r\n\r\n| Option | Type | Description |\r\n| --- | --- | --- |\r\n| `version` | String | Required. The version of the configuration file schema. The only supported value is `\"alpha0\"`. |\r\n\r\n### [Authentication](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#authentication)\r\n\r\nThe following configuration options are for authenticating with the Tailscale [control plane](https://tailscale.com/docs/concepts/control-data-planes).\r\n\r\n| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| `serverURL` | String | `https://controlplane.tailscale.com` | Specify the URL of a [custom control server](https://tailscale.com/docs/how-to/set-up-custom-control-server). |\r\n| `authKey` | String | None | Specify an [Auth key](https://tailscale.com/docs/features/access-control/auth-keys) or [OAuth client secret](https://tailscale.com/docs/features/oauth-clients) for authentication. Prefix with `file:` to read from a file path (for example, `file:/etc/tailscale/authkey`). The daemon re-reads the file each time it authenticates with the [control plane](https://tailscale.com/docs/concepts/control-data-planes). |\r\n\r\n### [General settings](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#general-settings)\r\n\r\nThe following configuration options are options for general Tailscale behavior.\r\n\r\n| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| `locked` | Boolean | `true` | Set to `true` to prevent configuration changes by using the [`tailscale set`](https://tailscale.com/docs/reference/tailscale-cli#set) command, ensuring the configuration stays consistent with the file. Set to `false` to allow runtime modifications. |\r\n| `enabled` | Boolean | `true` | Specify whether Tailscale should be running. Setting this to `false` has the same effect as running `tailscale down`. |\r\n| `hostname` | String | OS hostname | Specify the hostname for the device as displayed in the admin console and used for [MagicDNS](https://tailscale.com/docs/features/magicdns). |\r\n| `operatorUser` | String | None | Specify a local Unix username allowed to operate `tailscaled` without root privileges. |\r\n\r\n### [DNS and routing](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#dns-and-routing)\r\n\r\nThe following configuration options are options for DNS and subnet routing.\r\n\r\n| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| `acceptDNS` | Boolean | `true` | Set to `false` to disable using the [DNS configuration](https://tailscale.com/docs/reference/dns-in-tailscale) from the tailnet. |\r\n| `acceptRoutes` | Boolean | [Platform-dependent](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#acceptroutes-defaults) | Set to `true` to accept [subnet routes](https://tailscale.com/docs/features/subnet-routers) advertised by other devices. |\r\n| `advertiseRoutes` | Array of Strings | None | An array of [subnet routes](https://tailscale.com/docs/features/subnet-routers) to advertise to the tailnet. Use the format `[\"<CIDR>\"]`. |\r\n| `disableSNAT` | Boolean | `false` | Set to `true` to disable source NAT for traffic to advertised subnet routes. |\r\n\r\nPlatform-dependent default values for `acceptRoutes`:\r\n\r\n- Defaults to `true` for Windows, iOS, Android, the macOS App Store variant, and the macOS Standalone variant.\r\n- Defaults to `false` Unix platforms (Linux, BSD, and the macOS open source variant).\r\n\r\n### [Exit nodes](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#exit-nodes)\r\n\r\nThe following configuration options are options for [exit nodes](https://tailscale.com/docs/features/exit-nodes).\r\n\r\n| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| `exitNode` | String | None | [Exit node](https://tailscale.com/docs/features/exit-nodes) to use. You can use an IP address, stable node ID, or MagicDNS base name. It accepts any value supported by the [`tailscale set --exit-node=<identifier>`](https://tailscale.com/docs/reference/tailscale-cli#set) command. |\r\n| `allowLANWhileUsingExitNode` | Boolean | `false` | Set to `true` to permit access to the local network (LAN) while routing traffic through an exit node. |\r\n\r\nYou can find the stable node ID of a device in the [Machines](https://login.tailscale.com/admin/machines) of the admin console.\r\n\r\n### [Features](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#features)\r\n\r\nThe following configuration options are for enabling or disabling specific Tailscale features.\r\n\r\n| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| `runSSHServer` | Boolean | `false` | Set to `true` to enable [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh) server. |\r\n| `runWebClient` | Boolean | `false` | Set to `true` to enable the Tailscale [web client interface](https://tailscale.com/docs/features/client/device-web-interface). |\r\n| `shieldsUp` | Boolean | `false` | Set to `true` to block all incoming connections from other tailnet regardless of access control policies. You might consider this if you only want to permit outbound connections. This is similar to how you can configure [incoming connections in the Tailscale client](https://tailscale.com/docs/features/client/manage-preferences#allow-incoming-connections). |\r\n| `postureChecking` | Boolean | `false` | Set to `true` to enable [device posture](https://tailscale.com/docs/features/device-posture) data collection. |\r\n| `advertiseServices` | Array of Strings | None | Specify [services](https://tailscale.com/docs/features/services) to advertise (for example, `[\"svc:my-api\"]`). Used with Tailscale Service virtual IP addresses for high availability. |\r\n| `appConnector` | Object | None | [App connector](https://tailscale.com/docs/features/app-connectors) configuration. Set `{\"advertise\": true}` to run as an [app connector](https://tailscale.com/docs/features/app-connectors/how-to/setup). |\r\n\r\n### [Auto-update](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#auto-update)\r\n\r\nThe following configuration options are options for automatic updates.\r\n\r\n| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| `autoUpdate` | Object | None | Auto-update preferences. Set to `check` to enable checking for updates. Set to `apply` to automatically apply updates. For example: `{\"check\": true, \"apply\": false}`. |\r\n\r\n### [Linux-specific options](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#linux-specific-options)\r\n\r\nLinux-specific configuration options.\r\n\r\n| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| `netfilterMode` | String | `\"on\"` | Set the firewall management mode: `\"on\"`, `\"nodivert\"`, or `\"off\"`. This specifies how `tailscaled` manages `iptables`/`nftables` rules on Linux. |\r\n| `noStatefulFiltering` | Boolean | `false` | Set to `true` to disable stateful packet filtering for subnet routers and exit nodes. |\r\n\r\n#### [`netfilterMode` values](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#netfiltermode-values)\r\n\r\n- `on`: Normal operation. In this mode, `tailscaled` creates `iptables`/`nftables` chains and adds a rule to start of the relevant standard chains that jumps into them. For example, it inserts a jump to `ts-input` at the start of the `filter` table `INPUT` chain, to `ts-forward` from `FORWARD`, to `ts-output` from `OUTPUT`, and so on. It also adds a `ts-postrouting` in the `nat` table.\r\n- `nodivert`: No divert mode. In this mode, `tailscaled` creates `iptables`/`nftables` chains as usual, but does not send traffic to them. For the system to work correctly, you must configure those rules manually (for example, add a jump from `INPUT` to `ts-input`). This makes it possible to have other rules take effect before the Tailscale rules. Using `nodivert` also means that `tailscaled` won't rewrite the jumps occasionally because this would move the Tailscale rules back to the start.\r\n- `off`: In this mode, `tailscaled` does not make any changes to `iptables`/`nftables`. There usually isn't a good reason to use this mode.\r\n\r\n### [Advanced options](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#advanced-options)\r\n\r\nThe following configuration options are options for advanced use cases, such as customizing the Kubernetes Operators.\r\n\r\n| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| `staticEndpoints` | Array of Strings | None | Specify an array of additional [WireGuard](https://tailscale.com/docs/concepts/wireguard) endpoints to advertise alongside discovered endpoints. Use the format `[\"<address>:<port>\"]`. Refer to [Kubernetes Operator customization](https://tailscale.com/docs/features/kubernetes-operator/how-to/customize#static-endpoints) for more information. |\r\n\r\n## [Schema reference](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#schema-reference)\r\n\r\nThe following schema shows all available options in a single block. Remove all comments before using this in a JSON file, or use [HuJSON](https://github.com/tailscale/hujson) format to keep them.\r\n\r\n```json\r\n{\r\n  \"version\": \"alpha0\", // Required.\r\n  \"serverURL\": \"https://controlplane.tailscale.com\", // Optional.\r\n  \"authKey\": \"<auth-key>\", // Optional.\r\n  \"locked\": true, // Optional.\r\n  \"enabled\": true, // Optional.\r\n  \"hostname\": \"<hostname>\", // Optional. Default: OS hostname.\r\n  \"operatorUser\": \"<username>\", // Optional.\r\n  \"acceptDNS\": <true|false>, // Optional. Default: platform-dependent.\r\n  \"acceptRoutes\": <true|false>, // Optional. Default: platform-dependent.\r\n  \"advertiseRoutes\": [\"<CIDR>\"], // Optional.\r\n  \"disableSNAT\": false, // Optional.\r\n  \"exitNode\": \"<IP-address|stable-node-ID|MagicDNS-name>\", // Optional.\r\n  \"allowLANWhileUsingExitNode\": false, // Optional.\r\n  \"runSSHServer\": false, // Optional.\r\n  \"runWebClient\": false, // Optional.\r\n  \"shieldsUp\": false, // Optional.\r\n  \"postureChecking\": false, // Optional.\r\n  \"advertiseServices\": [\"svc:<service-name>\"], // Optional.\r\n  \"appConnector\": {\"advertise\": <true|false>}, // Optional.\r\n  \"autoUpdate\": {\"check\": <true|false>, \"apply\": <true|false>}, // Optional.\r\n  \"netfilterMode\": \"on\", // Optional (Linux-specific). Values: \"on\", \"nodivert\", \"off\".\r\n  \"noStatefulFiltering\": false, // Optional.\r\n  \"staticEndpoints\": [\"<address>:<port>\"], // Optional.\r\n}\r\n```\r\n\r\n## [Read configuration from cloud metadata](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#read-configuration-from-cloud-metadata)\r\n\r\nInstead of using a configuration file, you can read configuration options directly from cloud instance metadata.\r\n\r\nCloud metadata support is limited to Amazon EC2. Support for Google Cloud Platform (GCP), Azure, and [cloud-init](https://tailscale.com/docs/install/with-cloud-init) is planned for future releases.\r\n\r\nTo read configuration from an [Amazon EC2](https://docs.aws.amazon.com/ec2/) instance, store the configuration in the instance's user data and use the special path `vm:user-data`:\r\n\r\n```shell\r\ntailscaled --config=vm:user-data\r\n```\r\n\r\nThis tells the `tailscaled` daemon to read the configuration from the EC2 instance metadata service at `http://<ip-address>/latest/user-data`.\r\n\r\n## [Reload configuration changes](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#reload-configuration-changes)\r\n\r\nThe Tailscale daemon reads the configuration file one time at startup and does not automatically monitor it for changes. To apply configuration changes, you have the following options:\r\n\r\n### [Manually reload the configuration](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#manually-reload-the-configuration)\r\n\r\nUse the `tailscale debug reload-config` command to reload the configuration file without restarting the daemon:\r\n\r\n```shell\r\ntailscale debug reload-config\r\n```\r\n\r\nThis command calls the LocalAPI endpoint `/localapi/v0/reload-config` and applies any changes from the configuration file.\r\n\r\n### [Restart the daemon](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#restart-the-daemon)\r\n\r\nRestart `tailscaled` to reload the configuration:\r\n\r\n```shell\r\nsudo systemctl restart tailscaled\r\n```\r\n\r\nAutomatic configuration file watching for standalone `tailscaled` deployments is not currently supported. If you need this functionality outside of Kubernetes, consider using a file watcher that calls `tailscale debug reload-config` when it detects changes.\r\n\r\n## [Limitations](https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file\\#limitations)\r\n\r\nYou can use configuration files on Linux and other Unix-like systems where you run `tailscaled` directly. For macOS, refer to [tailscaled on macOS](https://github.com/tailscale/tailscale/wiki/Tailscaled-on-macOS). iOS and Android do not support configuration files.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Tailscale daemon configuration file</h1>\n<p>Last validated: Jan 8, 2026</p>\n<p>The <code>tailscaled</code> configuration file support is in alpha and the schema might change in future releases. Tailscale intends to preserve compatibility with earlier versions when possible. If breaking changes occur, a new version designation will be used.</p>\n<p>You can configure the <a href=\"https://tailscale.com/docs/reference/tailscaled\">Tailscale daemon</a> (<code>tailscaled</code>) using a JSON configuration file instead of command-line flags passed to the <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a>. This approach is useful for headless deployments, containers, Kubernetes, and <a href=\"https://tailscale.com/docs/integration-infrastructure-as-code\">infrastructure-as-code workflows</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#basic-usage\">Basic usage</a></h2>\n<p>The <code>tailscaled</code> configuration file only requires you to set the <code>version</code> field manually. The following example shows a minimal configuration example:</p>\n<pre><code class=\"language-json\">{\r\n  \"version\": \"alpha0\",\r\n  \"authKey\": \"tskey-auth-example-XXXXX\",\r\n  \"hostname\": \"my-server\",\r\n  \"acceptRoutes\": true\r\n}\n</code></pre>\n<p>To start <code>tailscaled</code> with a configuration file, use the <code>--config</code> flag:</p>\n<pre><code class=\"language-shell\">tailscaled --config=/etc/tailscale/config.json\n</code></pre>\n<p>The Tailscale daemon does not automatically discover configuration files. You must specify the path explicitly using the <code>--config</code> flag.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#configuration-options\">Configuration options</a></h2>\n<p>The configuration file uses JSON or <a href=\"https://github.com/tailscale/hujson\">HuJSON</a> format. The following tables describe all available options. This section organizes all configuration options by category.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#required-options\">Required options</a></h3>\n<p>The <code>version</code> field is the only required option because all other necessary options have default values. If you omit optional fields, the Tailscale daemon uses the default values.</p>\n<p>| Option | Type | Description |\r\n| --- | --- | --- |\r\n| <code>version</code> | String | Required. The version of the configuration file schema. The only supported value is <code>\"alpha0\"</code>. |</p>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#authentication\">Authentication</a></h3>\n<p>The following configuration options are for authenticating with the Tailscale <a href=\"https://tailscale.com/docs/concepts/control-data-planes\">control plane</a>.</p>\n<p>| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| <code>serverURL</code> | String | <code>https://controlplane.tailscale.com</code> | Specify the URL of a <a href=\"https://tailscale.com/docs/how-to/set-up-custom-control-server\">custom control server</a>. |\r\n| <code>authKey</code> | String | None | Specify an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">Auth key</a> or <a href=\"https://tailscale.com/docs/features/oauth-clients\">OAuth client secret</a> for authentication. Prefix with <code>file:</code> to read from a file path (for example, <code>file:/etc/tailscale/authkey</code>). The daemon re-reads the file each time it authenticates with the <a href=\"https://tailscale.com/docs/concepts/control-data-planes\">control plane</a>. |</p>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#general-settings\">General settings</a></h3>\n<p>The following configuration options are options for general Tailscale behavior.</p>\n<p>| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| <code>locked</code> | Boolean | <code>true</code> | Set to <code>true</code> to prevent configuration changes by using the <a href=\"https://tailscale.com/docs/reference/tailscale-cli#set\"><code>tailscale set</code></a> command, ensuring the configuration stays consistent with the file. Set to <code>false</code> to allow runtime modifications. |\r\n| <code>enabled</code> | Boolean | <code>true</code> | Specify whether Tailscale should be running. Setting this to <code>false</code> has the same effect as running <code>tailscale down</code>. |\r\n| <code>hostname</code> | String | OS hostname | Specify the hostname for the device as displayed in the admin console and used for <a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a>. |\r\n| <code>operatorUser</code> | String | None | Specify a local Unix username allowed to operate <code>tailscaled</code> without root privileges. |</p>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#dns-and-routing\">DNS and routing</a></h3>\n<p>The following configuration options are options for DNS and subnet routing.</p>\n<p>| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| <code>acceptDNS</code> | Boolean | <code>true</code> | Set to <code>false</code> to disable using the <a href=\"https://tailscale.com/docs/reference/dns-in-tailscale\">DNS configuration</a> from the tailnet. |\r\n| <code>acceptRoutes</code> | Boolean | <a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#acceptroutes-defaults\">Platform-dependent</a> | Set to <code>true</code> to accept <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routes</a> advertised by other devices. |\r\n| <code>advertiseRoutes</code> | Array of Strings | None | An array of <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routes</a> to advertise to the tailnet. Use the format <code>[\"&#x3C;CIDR>\"]</code>. |\r\n| <code>disableSNAT</code> | Boolean | <code>false</code> | Set to <code>true</code> to disable source NAT for traffic to advertised subnet routes. |</p>\n<p>Platform-dependent default values for <code>acceptRoutes</code>:</p>\n<ul>\n<li>Defaults to <code>true</code> for Windows, iOS, Android, the macOS App Store variant, and the macOS Standalone variant.</li>\n<li>Defaults to <code>false</code> Unix platforms (Linux, BSD, and the macOS open source variant).</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#exit-nodes\">Exit nodes</a></h3>\n<p>The following configuration options are options for <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit nodes</a>.</p>\n<p>| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| <code>exitNode</code> | String | None | <a href=\"https://tailscale.com/docs/features/exit-nodes\">Exit node</a> to use. You can use an IP address, stable node ID, or MagicDNS base name. It accepts any value supported by the <a href=\"https://tailscale.com/docs/reference/tailscale-cli#set\"><code>tailscale set --exit-node=&#x3C;identifier></code></a> command. |\r\n| <code>allowLANWhileUsingExitNode</code> | Boolean | <code>false</code> | Set to <code>true</code> to permit access to the local network (LAN) while routing traffic through an exit node. |</p>\n<p>You can find the stable node ID of a device in the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> of the admin console.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#features\">Features</a></h3>\n<p>The following configuration options are for enabling or disabling specific Tailscale features.</p>\n<p>| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| <code>runSSHServer</code> | Boolean | <code>false</code> | Set to <code>true</code> to enable <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a> server. |\r\n| <code>runWebClient</code> | Boolean | <code>false</code> | Set to <code>true</code> to enable the Tailscale <a href=\"https://tailscale.com/docs/features/client/device-web-interface\">web client interface</a>. |\r\n| <code>shieldsUp</code> | Boolean | <code>false</code> | Set to <code>true</code> to block all incoming connections from other tailnet regardless of access control policies. You might consider this if you only want to permit outbound connections. This is similar to how you can configure <a href=\"https://tailscale.com/docs/features/client/manage-preferences#allow-incoming-connections\">incoming connections in the Tailscale client</a>. |\r\n| <code>postureChecking</code> | Boolean | <code>false</code> | Set to <code>true</code> to enable <a href=\"https://tailscale.com/docs/features/device-posture\">device posture</a> data collection. |\r\n| <code>advertiseServices</code> | Array of Strings | None | Specify <a href=\"https://tailscale.com/docs/features/services\">services</a> to advertise (for example, <code>[\"svc:my-api\"]</code>). Used with Tailscale Service virtual IP addresses for high availability. |\r\n| <code>appConnector</code> | Object | None | <a href=\"https://tailscale.com/docs/features/app-connectors\">App connector</a> configuration. Set <code>{\"advertise\": true}</code> to run as an <a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup\">app connector</a>. |</p>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#auto-update\">Auto-update</a></h3>\n<p>The following configuration options are options for automatic updates.</p>\n<p>| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| <code>autoUpdate</code> | Object | None | Auto-update preferences. Set to <code>check</code> to enable checking for updates. Set to <code>apply</code> to automatically apply updates. For example: <code>{\"check\": true, \"apply\": false}</code>. |</p>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#linux-specific-options\">Linux-specific options</a></h3>\n<p>Linux-specific configuration options.</p>\n<p>| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| <code>netfilterMode</code> | String | <code>\"on\"</code> | Set the firewall management mode: <code>\"on\"</code>, <code>\"nodivert\"</code>, or <code>\"off\"</code>. This specifies how <code>tailscaled</code> manages <code>iptables</code>/<code>nftables</code> rules on Linux. |\r\n| <code>noStatefulFiltering</code> | Boolean | <code>false</code> | Set to <code>true</code> to disable stateful packet filtering for subnet routers and exit nodes. |</p>\n<h4><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#netfiltermode-values\"><code>netfilterMode</code> values</a></h4>\n<ul>\n<li><code>on</code>: Normal operation. In this mode, <code>tailscaled</code> creates <code>iptables</code>/<code>nftables</code> chains and adds a rule to start of the relevant standard chains that jumps into them. For example, it inserts a jump to <code>ts-input</code> at the start of the <code>filter</code> table <code>INPUT</code> chain, to <code>ts-forward</code> from <code>FORWARD</code>, to <code>ts-output</code> from <code>OUTPUT</code>, and so on. It also adds a <code>ts-postrouting</code> in the <code>nat</code> table.</li>\n<li><code>nodivert</code>: No divert mode. In this mode, <code>tailscaled</code> creates <code>iptables</code>/<code>nftables</code> chains as usual, but does not send traffic to them. For the system to work correctly, you must configure those rules manually (for example, add a jump from <code>INPUT</code> to <code>ts-input</code>). This makes it possible to have other rules take effect before the Tailscale rules. Using <code>nodivert</code> also means that <code>tailscaled</code> won't rewrite the jumps occasionally because this would move the Tailscale rules back to the start.</li>\n<li><code>off</code>: In this mode, <code>tailscaled</code> does not make any changes to <code>iptables</code>/<code>nftables</code>. There usually isn't a good reason to use this mode.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#advanced-options\">Advanced options</a></h3>\n<p>The following configuration options are options for advanced use cases, such as customizing the Kubernetes Operators.</p>\n<p>| Option | Type | Default | Description |\r\n| --- | --- | --- | --- |\r\n| <code>staticEndpoints</code> | Array of Strings | None | Specify an array of additional <a href=\"https://tailscale.com/docs/concepts/wireguard\">WireGuard</a> endpoints to advertise alongside discovered endpoints. Use the format <code>[\"&#x3C;address>:&#x3C;port>\"]</code>. Refer to <a href=\"https://tailscale.com/docs/features/kubernetes-operator/how-to/customize#static-endpoints\">Kubernetes Operator customization</a> for more information. |</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#schema-reference\">Schema reference</a></h2>\n<p>The following schema shows all available options in a single block. Remove all comments before using this in a JSON file, or use <a href=\"https://github.com/tailscale/hujson\">HuJSON</a> format to keep them.</p>\n<pre><code class=\"language-json\">{\r\n  \"version\": \"alpha0\", // Required.\r\n  \"serverURL\": \"https://controlplane.tailscale.com\", // Optional.\r\n  \"authKey\": \"&#x3C;auth-key>\", // Optional.\r\n  \"locked\": true, // Optional.\r\n  \"enabled\": true, // Optional.\r\n  \"hostname\": \"&#x3C;hostname>\", // Optional. Default: OS hostname.\r\n  \"operatorUser\": \"&#x3C;username>\", // Optional.\r\n  \"acceptDNS\": &#x3C;true|false>, // Optional. Default: platform-dependent.\r\n  \"acceptRoutes\": &#x3C;true|false>, // Optional. Default: platform-dependent.\r\n  \"advertiseRoutes\": [\"&#x3C;CIDR>\"], // Optional.\r\n  \"disableSNAT\": false, // Optional.\r\n  \"exitNode\": \"&#x3C;IP-address|stable-node-ID|MagicDNS-name>\", // Optional.\r\n  \"allowLANWhileUsingExitNode\": false, // Optional.\r\n  \"runSSHServer\": false, // Optional.\r\n  \"runWebClient\": false, // Optional.\r\n  \"shieldsUp\": false, // Optional.\r\n  \"postureChecking\": false, // Optional.\r\n  \"advertiseServices\": [\"svc:&#x3C;service-name>\"], // Optional.\r\n  \"appConnector\": {\"advertise\": &#x3C;true|false>}, // Optional.\r\n  \"autoUpdate\": {\"check\": &#x3C;true|false>, \"apply\": &#x3C;true|false>}, // Optional.\r\n  \"netfilterMode\": \"on\", // Optional (Linux-specific). Values: \"on\", \"nodivert\", \"off\".\r\n  \"noStatefulFiltering\": false, // Optional.\r\n  \"staticEndpoints\": [\"&#x3C;address>:&#x3C;port>\"], // Optional.\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#read-configuration-from-cloud-metadata\">Read configuration from cloud metadata</a></h2>\n<p>Instead of using a configuration file, you can read configuration options directly from cloud instance metadata.</p>\n<p>Cloud metadata support is limited to Amazon EC2. Support for Google Cloud Platform (GCP), Azure, and <a href=\"https://tailscale.com/docs/install/with-cloud-init\">cloud-init</a> is planned for future releases.</p>\n<p>To read configuration from an <a href=\"https://docs.aws.amazon.com/ec2/\">Amazon EC2</a> instance, store the configuration in the instance's user data and use the special path <code>vm:user-data</code>:</p>\n<pre><code class=\"language-shell\">tailscaled --config=vm:user-data\n</code></pre>\n<p>This tells the <code>tailscaled</code> daemon to read the configuration from the EC2 instance metadata service at <code>http://&#x3C;ip-address>/latest/user-data</code>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#reload-configuration-changes\">Reload configuration changes</a></h2>\n<p>The Tailscale daemon reads the configuration file one time at startup and does not automatically monitor it for changes. To apply configuration changes, you have the following options:</p>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#manually-reload-the-configuration\">Manually reload the configuration</a></h3>\n<p>Use the <code>tailscale debug reload-config</code> command to reload the configuration file without restarting the daemon:</p>\n<pre><code class=\"language-shell\">tailscale debug reload-config\n</code></pre>\n<p>This command calls the LocalAPI endpoint <code>/localapi/v0/reload-config</code> and applies any changes from the configuration file.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#restart-the-daemon\">Restart the daemon</a></h3>\n<p>Restart <code>tailscaled</code> to reload the configuration:</p>\n<pre><code class=\"language-shell\">sudo systemctl restart tailscaled\n</code></pre>\n<p>Automatic configuration file watching for standalone <code>tailscaled</code> deployments is not currently supported. If you need this functionality outside of Kubernetes, consider using a file watcher that calls <code>tailscale debug reload-config</code> when it detects changes.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscaled/tailescaled-config-file#limitations\">Limitations</a></h2>\n<p>You can use configuration files on Linux and other Unix-like systems where you run <code>tailscaled</code> directly. For macOS, refer to <a href=\"https://github.com/tailscale/tailscale/wiki/Tailscaled-on-macOS\">tailscaled on macOS</a>. iOS and Android do not support configuration files.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}