{"slug":"using-tailscale-with-captive-portals","title":"Using Tailscale with captive portals","tags":["tailscale"],"agent_summary":"Last validated: Dec 10, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Using Tailscale with captive portals\r\n\r\nLast validated: Dec 10, 2025\r\n\r\nWhen you connect to a public network, you might be redirected to a [captive portal](https://en.wikipedia.org/wiki/Captive_portal) requiring you to authenticate or accept terms before accessing the internet.\r\n\r\nA captive portal typically appears before the user can access any other web pages, and often includes login forms, payment options, or advertisements. Captive portals are commonly used in public Wi-Fi hotspots such as those found in airports, hotels, coffee shops, libraries, and other public venues. They are also frequently implemented in corporate environments and educational institutions to ensure only users with credentials can connect to the network.\r\n\r\nIf you connect your device to a captive portal and do not complete the authentication steps, Tailscale cannot establish a connection to the coordination server, and connectivity with other devices in your tailnet is not possible.\r\n\r\n## [Captive portal notifications](https://tailscale.com/docs/integrations/captive-portals\\#captive-portal-notifications)\r\n\r\nCaptive portal notifications are currently only supported on macOS and iOS. Notification permissions must be granted for the Tailscale client in order for notifications to appear.\r\n\r\nIn Tailscale v1.72 or later, a notification will appear on your device when a captive portal is detected:\r\n\r\n![Notification informing the user about the presence of a captive portal on macOS](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fcaptive-portal-notification.dfd52e9a.png&w=828&q=75)\r\n\r\nOn platforms where the [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli) is available, the `tailscale status` command will also include a health warning:\r\n\r\n```shell\r\ntailscale status\r\n```\r\n\r\nThis command should output the following:\r\n\r\n```shell\r\n# Health check:\r\n#     - This network requires you to log in using your web browser.\r\n```\r\n\r\nTo resolve the issue, complete the necessary authentication steps in your web browser by attempting to access a website such as [`example.com`](http://www.example.com/).\r\n\r\n## [How Tailscale detects captive portals](https://tailscale.com/docs/integrations/captive-portals\\#how-tailscale-detects-captive-portals)\r\n\r\nCaptive portal detection requires Tailscale v1.72 or later.\r\n\r\nAlthough a number of [standards](https://www.rfc-editor.org/rfc/rfc8952.html) have been proposed over the years, captive portals are implemented differently by each networking equipment manufacturer or ISP. Due to the lack of a uniform standard, there is no widely used protocol to reliably detect a captive portal. The Tailscale client detects captive portals continuously in the background, on a best-effort basis, by performing these steps:\r\n\r\n1. The client continuously observes the state of network interfaces and connections to the Tailscale [coordination server](https://tailscale.com/docs/reference/glossary#coordination-server) and [relay servers](https://tailscale.com/docs/reference/derp-servers). If a connectivity issue is observed, the captive portal detection process starts. Captive portal detection does not run unless a connectivity issue is observed.\r\n2. Tailscale attempts to contact a set of relay servers that are known to accept incoming connections on TCP port `80`. The client executes an unencrypted HTTP request reaching out to a `/generate_204` endpoint on the relay server. This endpoint is expected to return an HTTP response with a 204 status code.\r\n3. Because [DNS resolution](https://tailscale.com/docs/reference/dns-in-tailscale) is unreliable behind some captive portals, Tailscale reaches out to the relay server by directly using its IPv4 address. For instance, the outgoing HTTP request may target a relay server at `http://123.12.12.123/generate_204`.\r\n4. As part of the HTTP request above, Tailscale may also send a challenge in the HTTP headers of the request (`X-Tailscale-Challenge`), if the relay server supports the challenge protocol. This challenge header value is `ts_<hostname>`, where `<hostname>` is the hostname of the relay server being used.\r\n5. The HTTP request is sent, and the status code and headers of the HTTP response are evaluated.\r\n\r\n- If the status code is `204` and the `X-Tailscale-Response` is `response ts_<hostname>`, Tailscale assumes that no captive portal has been detected.\r\n- If `X-Tailscale-Response` is missing from the response, or has an unexpected value, or the return status code is not `204`, Tailscale infers that something is tampering with the HTTP connection, and therefore a captive portal is likely present.\r\n\r\n## [Disable captive portal detection](https://tailscale.com/docs/integrations/captive-portals\\#disable-captive-portal-detection)\r\n\r\nYou can turn off captive portal detection if you always use your computer in the same location or want to avoid detection-related traffic to our servers by configuring the `disable-captive-portal-detection` [node attribute](https://tailscale.com/docs/reference/syntax/policy-file#nodeattrs) in your tailnet [access control policies](https://tailscale.com/docs/features/access-control):\r\n\r\n```json\r\n{\r\n  \"nodeAttrs\": [\\\r\n    {\\\r\n      \"target\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"attr\": [\\\r\n        \"disable-captive-portal-detection\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Using Tailscale with captive portals</h1>\n<p>Last validated: Dec 10, 2025</p>\n<p>When you connect to a public network, you might be redirected to a <a href=\"https://en.wikipedia.org/wiki/Captive_portal\">captive portal</a> requiring you to authenticate or accept terms before accessing the internet.</p>\n<p>A captive portal typically appears before the user can access any other web pages, and often includes login forms, payment options, or advertisements. Captive portals are commonly used in public Wi-Fi hotspots such as those found in airports, hotels, coffee shops, libraries, and other public venues. They are also frequently implemented in corporate environments and educational institutions to ensure only users with credentials can connect to the network.</p>\n<p>If you connect your device to a captive portal and do not complete the authentication steps, Tailscale cannot establish a connection to the coordination server, and connectivity with other devices in your tailnet is not possible.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/captive-portals#captive-portal-notifications\">Captive portal notifications</a></h2>\n<p>Captive portal notifications are currently only supported on macOS and iOS. Notification permissions must be granted for the Tailscale client in order for notifications to appear.</p>\n<p>In Tailscale v1.72 or later, a notification will appear on your device when a captive portal is detected:</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fcaptive-portal-notification.dfd52e9a.png&#x26;w=828&#x26;q=75\" alt=\"Notification informing the user about the presence of a captive portal on macOS\"></p>\n<p>On platforms where the <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a> is available, the <code>tailscale status</code> command will also include a health warning:</p>\n<pre><code class=\"language-shell\">tailscale status\n</code></pre>\n<p>This command should output the following:</p>\n<pre><code class=\"language-shell\"># Health check:\r\n#     - This network requires you to log in using your web browser.\n</code></pre>\n<p>To resolve the issue, complete the necessary authentication steps in your web browser by attempting to access a website such as <a href=\"http://www.example.com/\"><code>example.com</code></a>.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/captive-portals#how-tailscale-detects-captive-portals\">How Tailscale detects captive portals</a></h2>\n<p>Captive portal detection requires Tailscale v1.72 or later.</p>\n<p>Although a number of <a href=\"https://www.rfc-editor.org/rfc/rfc8952.html\">standards</a> have been proposed over the years, captive portals are implemented differently by each networking equipment manufacturer or ISP. Due to the lack of a uniform standard, there is no widely used protocol to reliably detect a captive portal. The Tailscale client detects captive portals continuously in the background, on a best-effort basis, by performing these steps:</p>\n<ol>\n<li>The client continuously observes the state of network interfaces and connections to the Tailscale <a href=\"https://tailscale.com/docs/reference/glossary#coordination-server\">coordination server</a> and <a href=\"https://tailscale.com/docs/reference/derp-servers\">relay servers</a>. If a connectivity issue is observed, the captive portal detection process starts. Captive portal detection does not run unless a connectivity issue is observed.</li>\n<li>Tailscale attempts to contact a set of relay servers that are known to accept incoming connections on TCP port <code>80</code>. The client executes an unencrypted HTTP request reaching out to a <code>/generate_204</code> endpoint on the relay server. This endpoint is expected to return an HTTP response with a 204 status code.</li>\n<li>Because <a href=\"https://tailscale.com/docs/reference/dns-in-tailscale\">DNS resolution</a> is unreliable behind some captive portals, Tailscale reaches out to the relay server by directly using its IPv4 address. For instance, the outgoing HTTP request may target a relay server at <code>http://123.12.12.123/generate_204</code>.</li>\n<li>As part of the HTTP request above, Tailscale may also send a challenge in the HTTP headers of the request (<code>X-Tailscale-Challenge</code>), if the relay server supports the challenge protocol. This challenge header value is <code>ts_&#x3C;hostname></code>, where <code>&#x3C;hostname></code> is the hostname of the relay server being used.</li>\n<li>The HTTP request is sent, and the status code and headers of the HTTP response are evaluated.</li>\n</ol>\n<ul>\n<li>If the status code is <code>204</code> and the <code>X-Tailscale-Response</code> is <code>response ts_&#x3C;hostname></code>, Tailscale assumes that no captive portal has been detected.</li>\n<li>If <code>X-Tailscale-Response</code> is missing from the response, or has an unexpected value, or the return status code is not <code>204</code>, Tailscale infers that something is tampering with the HTTP connection, and therefore a captive portal is likely present.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/captive-portals#disable-captive-portal-detection\">Disable captive portal detection</a></h2>\n<p>You can turn off captive portal detection if you always use your computer in the same location or want to avoid detection-related traffic to our servers by configuring the <code>disable-captive-portal-detection</code> <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#nodeattrs\">node attribute</a> in your tailnet <a href=\"https://tailscale.com/docs/features/access-control\">access control policies</a>:</p>\n<pre><code class=\"language-json\">{\r\n  \"nodeAttrs\": [\\\r\n    {\\\r\n      \"target\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"attr\": [\\\r\n        \"disable-captive-portal-detection\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}