{"slug":"tailscale-up-command","title":"tailscale up command","tags":["tailscale"],"agent_summary":"Last validated: Jan 26, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# tailscale up command\r\n\r\nLast validated: Jan 26, 2026\r\n\r\n`tailscale up` connects your device to Tailscale, and authenticates if needed.\r\n\r\n```shell\r\ntailscale up [flags]\r\n```\r\n\r\nRunning `tailscale up` without any flags connects to Tailscale.\r\n\r\nYou can specify flags to configure Tailscale's behavior. Flags are not persisted between runs; you must specify all flags each time.\r\n\r\nTo clear previously set flags like tags and routes, pass the flag with an empty argument:\r\n\r\n```shell\r\n# Connects with `tag:server`\r\ntailscale up --advertise-tags=tag:server\r\n\r\n# Connects and clears any tags\r\ntailscale up --advertise-tags=\r\n```\r\n\r\nIn Tailscale v1.8 or later, if you forget to specify a flag you added before, the CLI will warn you and provide a copyable command that includes all existing flags.\r\n\r\nAvailable flags:\r\n\r\n- `--accept-dns` Accept [DNS configuration](https://tailscale.com/docs/reference/dns-in-tailscale) from the admin console. Defaults to accepting DNS settings.\r\n- `--accept-risk=<risk>` Accept risk and skip confirmation for risk type. This can be either `lose-ssh` or `all`, or an empty string to not accept risk.\r\n- `--accept-routes` Accept [subnet routes](https://tailscale.com/docs/features/subnet-routers) that other nodes\r\nadvertise. The default depends on the host operating system. For certain platforms - Windows, iOS, Android, the macOS App Store variant, and the macOS standalone variant - the default is to accept routes. All other platforms default to not accepting routes.\r\n- `--advertise-connector` Advertise this node as an [app connector](https://tailscale.com/docs/features/app-connectors).\r\n- `--advertise-exit-node` Offer to be an [exit node](https://tailscale.com/docs/features/exit-nodes) for outbound internet traffic from the Tailscale network. Defaults to not offering to be an exit node.\r\n- `--advertise-routes=<ip>` Expose physical [subnet routes](https://tailscale.com/docs/features/subnet-routers) to your entire\r\nTailscale network.\r\n- `--advertise-tags=<tags>` Give tagged permissions to this device. You\r\nmust be [listed in `\"TagOwners\"`](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) to be able to apply\r\ntags.\r\n- `--auth-key=<key>` Provide an [auth key](https://tailscale.com/docs/features/access-control/auth-keys) to\r\nautomatically authenticate the node as your user account.\r\n- `--client-id` Client ID used to generate [auth keys](https://tailscale.com/docs/features/access-control/auth-keys) by using\r\n[workload identity federation](https://tailscale.com/docs/features/workload-identity-federation).\r\n- `--client-secret` [OAuth Client](https://tailscale.com/docs/features/oauth-clients) secret used to generate\r\n[auth keys](https://tailscale.com/docs/features/access-control/auth-keys); if it begins with `file:`, then it's a path to a\r\nfile containing the secret.\r\n- `--exit-node=<ip|name>` Provide a [Tailscale IP](https://tailscale.com/docs/concepts/ip-and-dns-addresses) or [machine name](https://tailscale.com/docs/concepts/machine-names) to use as an exit node. You can also use `--exit-node=auto:any` to track the suggested exit node and automatically switch to it when available exit nodes or network conditions change. To disable the use of an exit node, pass the flag with an empty argument using `--exit-node=`.\r\n- `--exit-node-allow-lan-access` Allow the client node access to its own LAN while connected to an exit node. Defaults to not allowing access while connected to an exit node.\r\n- `--force-reauth` Force re-authentication.\r\n- `--hostname=<name>` Provide a hostname to use for the device instead of the one provided by the OS. Note that this will change the machine name used in [MagicDNS](https://tailscale.com/docs/features/magicdns).\r\n- `--id-token` ID token from the identity provider to exchange with the control\r\nserver for [workload identity federation](https://tailscale.com/docs/features/workload-identity-federation); if it begins\r\nwith `file:`, then it's a path to a file containing the token.\r\n- `--audience` Audience used when requesting an ID token from an identity provider for auth keys generated by [workload identity federation](https://tailscale.com/docs/features/workload-identity-federation).\r\n- `--json` Output in JSON format. Format is subject to change.\r\n- `--login-server=<url>` Provide the base URL of a control server instead of `https://controlplane.tailscale.com`.\r\nIf you are using [Headscale](https://tailscale.com/blog/opensource#the-open-source-coordination-server) for your control server, use your Headscale instance's URL.\r\n- `--netfilter-mode` (Linux only) Advanced feature for controlling the degree of automatic firewall configuration.\r\nValues are either `off`, `nodivert`, or `on`. Defaults to `on`, except for Synology which defaults to `off`. Setting this flag\r\nto `off` disables all management of `netfilter`. Setting to `nodivert` creates and manages Tailscale sub-chains, but leaves the calling of those\r\nchains up to the administrator. Setting to `on` means using full management of Tailscale's rules. Note that if you set `--netfilter-mode` to `off`\r\nor `nodivert`, it is your responsibility to configure the firewall securely for Tailscale traffic. We recommend using the rules installed by\r\n`--netfilter-mode=on` as a starting point. Refer to [netfilter modes](https://tailscale.com/docs/reference/netfilter-modes) for more information.\r\n- `--operator=<user>` Provide a Unix username other than `root` to operate `tailscaled`.\r\n- `--qr` Generate a QR code for the web login URL. Defaults to not showing a QR code.\r\n- `--qr-format=<format>` QR code formatting: `small` or `large`. Defaults to `small`.\r\n- `--reset` Reset unspecified settings to default values.\r\n- `--shields-up` [Block incoming connections](https://tailscale.com/docs/features/client/manage-preferences)\r\nfrom other devices on your Tailscale network. Useful for personal devices\r\nthat only make outgoing connections.\r\n- `--snat-subnet-routes` (Linux only) Source NAT traffic to local routes that are advertised with `--advertise-routes`. Defaults to sourcing the NAT\r\ntraffic to the advertised routes. Set to false to disable subnet route masquerading.\r\n- `--stateful-filtering` (Linux only) Enable stateful filtering for subnet\r\nrouters and exit nodes. When enabled, inbound packets with another node's\r\ndestination IP are dropped, unless they are a part of a tracked outbound\r\nconnection from that node. Defaults to disabled.\r\n- `--ssh` Run a [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh) server, permitting access per the tailnet administrator's declared\r\n[access policy](https://tailscale.com/docs/features/access-control/acls), or the [default policy](https://tailscale.com/docs/reference/examples/acls#allow-all-default-acl) if none is\r\ndefined. Defaults to false.\r\n- `--timeout=<duration>` Maximum amount of time to wait for the Tailscale service to initialize. `duration` can be any value parseable by [`time.ParseDuration()`](https://pkg.go.dev/time#ParseDuration). Defaults to `0s`, which blocks forever.\r\n- `--unattended`(Windows only) Run in [unattended mode](https://tailscale.com/docs/how-to/run-unattended) where Tailscale keeps running even after the current user logs out.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>tailscale up command</h1>\n<p>Last validated: Jan 26, 2026</p>\n<p><code>tailscale up</code> connects your device to Tailscale, and authenticates if needed.</p>\n<pre><code class=\"language-shell\">tailscale up [flags]\n</code></pre>\n<p>Running <code>tailscale up</code> without any flags connects to Tailscale.</p>\n<p>You can specify flags to configure Tailscale's behavior. Flags are not persisted between runs; you must specify all flags each time.</p>\n<p>To clear previously set flags like tags and routes, pass the flag with an empty argument:</p>\n<pre><code class=\"language-shell\"># Connects with `tag:server`\r\ntailscale up --advertise-tags=tag:server\r\n\r\n# Connects and clears any tags\r\ntailscale up --advertise-tags=\n</code></pre>\n<p>In Tailscale v1.8 or later, if you forget to specify a flag you added before, the CLI will warn you and provide a copyable command that includes all existing flags.</p>\n<p>Available flags:</p>\n<ul>\n<li><code>--accept-dns</code> Accept <a href=\"https://tailscale.com/docs/reference/dns-in-tailscale\">DNS configuration</a> from the admin console. Defaults to accepting DNS settings.</li>\n<li><code>--accept-risk=&#x3C;risk></code> Accept risk and skip confirmation for risk type. This can be either <code>lose-ssh</code> or <code>all</code>, or an empty string to not accept risk.</li>\n<li><code>--accept-routes</code> Accept <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routes</a> that other nodes\r\nadvertise. The default depends on the host operating system. For certain platforms - Windows, iOS, Android, the macOS App Store variant, and the macOS standalone variant - the default is to accept routes. All other platforms default to not accepting routes.</li>\n<li><code>--advertise-connector</code> Advertise this node as an <a href=\"https://tailscale.com/docs/features/app-connectors\">app connector</a>.</li>\n<li><code>--advertise-exit-node</code> Offer to be an <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit node</a> for outbound internet traffic from the Tailscale network. Defaults to not offering to be an exit node.</li>\n<li><code>--advertise-routes=&#x3C;ip></code> Expose physical <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routes</a> to your entire\r\nTailscale network.</li>\n<li><code>--advertise-tags=&#x3C;tags></code> Give tagged permissions to this device. You\r\nmust be <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">listed in <code>\"TagOwners\"</code></a> to be able to apply\r\ntags.</li>\n<li><code>--auth-key=&#x3C;key></code> Provide an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth key</a> to\r\nautomatically authenticate the node as your user account.</li>\n<li><code>--client-id</code> Client ID used to generate <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth keys</a> by using\r\n<a href=\"https://tailscale.com/docs/features/workload-identity-federation\">workload identity federation</a>.</li>\n<li><code>--client-secret</code> <a href=\"https://tailscale.com/docs/features/oauth-clients\">OAuth Client</a> secret used to generate\r\n<a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth keys</a>; if it begins with <code>file:</code>, then it's a path to a\r\nfile containing the secret.</li>\n<li><code>--exit-node=&#x3C;ip|name></code> Provide a <a href=\"https://tailscale.com/docs/concepts/ip-and-dns-addresses\">Tailscale IP</a> or <a href=\"https://tailscale.com/docs/concepts/machine-names\">machine name</a> to use as an exit node. You can also use <code>--exit-node=auto:any</code> to track the suggested exit node and automatically switch to it when available exit nodes or network conditions change. To disable the use of an exit node, pass the flag with an empty argument using <code>--exit-node=</code>.</li>\n<li><code>--exit-node-allow-lan-access</code> Allow the client node access to its own LAN while connected to an exit node. Defaults to not allowing access while connected to an exit node.</li>\n<li><code>--force-reauth</code> Force re-authentication.</li>\n<li><code>--hostname=&#x3C;name></code> Provide a hostname to use for the device instead of the one provided by the OS. Note that this will change the machine name used in <a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a>.</li>\n<li><code>--id-token</code> ID token from the identity provider to exchange with the control\r\nserver for <a href=\"https://tailscale.com/docs/features/workload-identity-federation\">workload identity federation</a>; if it begins\r\nwith <code>file:</code>, then it's a path to a file containing the token.</li>\n<li><code>--audience</code> Audience used when requesting an ID token from an identity provider for auth keys generated by <a href=\"https://tailscale.com/docs/features/workload-identity-federation\">workload identity federation</a>.</li>\n<li><code>--json</code> Output in JSON format. Format is subject to change.</li>\n<li><code>--login-server=&#x3C;url></code> Provide the base URL of a control server instead of <code>https://controlplane.tailscale.com</code>.\r\nIf you are using <a href=\"https://tailscale.com/blog/opensource#the-open-source-coordination-server\">Headscale</a> for your control server, use your Headscale instance's URL.</li>\n<li><code>--netfilter-mode</code> (Linux only) Advanced feature for controlling the degree of automatic firewall configuration.\r\nValues are either <code>off</code>, <code>nodivert</code>, or <code>on</code>. Defaults to <code>on</code>, except for Synology which defaults to <code>off</code>. Setting this flag\r\nto <code>off</code> disables all management of <code>netfilter</code>. Setting to <code>nodivert</code> creates and manages Tailscale sub-chains, but leaves the calling of those\r\nchains up to the administrator. Setting to <code>on</code> means using full management of Tailscale's rules. Note that if you set <code>--netfilter-mode</code> to <code>off</code>\r\nor <code>nodivert</code>, it is your responsibility to configure the firewall securely for Tailscale traffic. We recommend using the rules installed by\r\n<code>--netfilter-mode=on</code> as a starting point. Refer to <a href=\"https://tailscale.com/docs/reference/netfilter-modes\">netfilter modes</a> for more information.</li>\n<li><code>--operator=&#x3C;user></code> Provide a Unix username other than <code>root</code> to operate <code>tailscaled</code>.</li>\n<li><code>--qr</code> Generate a QR code for the web login URL. Defaults to not showing a QR code.</li>\n<li><code>--qr-format=&#x3C;format></code> QR code formatting: <code>small</code> or <code>large</code>. Defaults to <code>small</code>.</li>\n<li><code>--reset</code> Reset unspecified settings to default values.</li>\n<li><code>--shields-up</code> <a href=\"https://tailscale.com/docs/features/client/manage-preferences\">Block incoming connections</a>\r\nfrom other devices on your Tailscale network. Useful for personal devices\r\nthat only make outgoing connections.</li>\n<li><code>--snat-subnet-routes</code> (Linux only) Source NAT traffic to local routes that are advertised with <code>--advertise-routes</code>. Defaults to sourcing the NAT\r\ntraffic to the advertised routes. Set to false to disable subnet route masquerading.</li>\n<li><code>--stateful-filtering</code> (Linux only) Enable stateful filtering for subnet\r\nrouters and exit nodes. When enabled, inbound packets with another node's\r\ndestination IP are dropped, unless they are a part of a tracked outbound\r\nconnection from that node. Defaults to disabled.</li>\n<li><code>--ssh</code> Run a <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a> server, permitting access per the tailnet administrator's declared\r\n<a href=\"https://tailscale.com/docs/features/access-control/acls\">access policy</a>, or the <a href=\"https://tailscale.com/docs/reference/examples/acls#allow-all-default-acl\">default policy</a> if none is\r\ndefined. Defaults to false.</li>\n<li><code>--timeout=&#x3C;duration></code> Maximum amount of time to wait for the Tailscale service to initialize. <code>duration</code> can be any value parseable by <a href=\"https://pkg.go.dev/time#ParseDuration\"><code>time.ParseDuration()</code></a>. Defaults to <code>0s</code>, which blocks forever.</li>\n<li><code>--unattended</code>(Windows only) Run in <a href=\"https://tailscale.com/docs/how-to/run-unattended\">unattended mode</a> where Tailscale keeps running even after the current user logs out.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}