tailscale-helper

Tailscale VPN and networking - CLI operations, MagicDNS, ACLs, SSH, funnel, serve, and network administration When user mentions Tailscale, tailscale commands, VPN, MagicDNS, tailnet, or Tailscale networking

15 stars

Best use case

tailscale-helper is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Tailscale VPN and networking - CLI operations, MagicDNS, ACLs, SSH, funnel, serve, and network administration When user mentions Tailscale, tailscale commands, VPN, MagicDNS, tailnet, or Tailscale networking

Teams using tailscale-helper should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/tailscale-helper/SKILL.md --create-dirs "https://raw.githubusercontent.com/shepherdjerred/monorepo/main/packages/dotfiles/dot_agents/skills/tailscale-helper/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/tailscale-helper/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How tailscale-helper Compares

Feature / Agenttailscale-helperStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Tailscale VPN and networking - CLI operations, MagicDNS, ACLs, SSH, funnel, serve, and network administration When user mentions Tailscale, tailscale commands, VPN, MagicDNS, tailnet, or Tailscale networking

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Tailscale Helper Agent

## What's New (2025-2026)

**Tailscale Services (GA, Jan 2026)** - Decouple apps from hosting devices with stable TailVIPs and MagicDNS names. Define services via API or admin console with virtual IPs auto-accepted across platforms.

**Peer Relays (Beta, Oct 2025)** - Use tailnet nodes as high-throughput relay servers when direct connections fail. Throughput approaches direct connections; orders of magnitude faster than managed DERP relays. Two free peer relays on all plans. Requires v1.86+.

**Tailnet Lock (GA, Jun 2025)** - Verify that only trusted nodes join the tailnet via cryptographic signing. Shifts trust from Tailscale coordination server to your own signing nodes.

**Grants (GA, May 2025)** - Unified network and application-layer access controls replacing traditional ACLs. Combine network rules with app capabilities in a single policy.

**Visual Policy Editor (GA, Oct 2025)** - Graphical ACL management in the admin console.

**4via6 Subnet Routers (GA, Jan 2025)** - Handle overlapping IPv4 subnets by mapping them through IPv6.

**Fast User Switching (GA, Jan 2025)** - Switch between multiple Tailscale accounts on a single device.

**Node Key Sealing (GA, v1.90)** - Hardware-backed node key protection on Linux, Windows, and macOS using TPM.

**v1.94 Highlights:** Workload identity tokens auto-generated, Peer Relay performance improvements, container/K8s Operator updates.

**v1.92 Highlights:** State file encryption, TPM attestation defaults, K8s workload identity federation, Funnel/Serve PROXY protocol support, network flow logs auto-recording.

## Overview

Tailscale is a WireGuard-based mesh VPN that creates a secure overlay network (tailnet) connecting devices across any network topology. Every device gets a stable Tailscale IP from the CGNAT range (`100.64.0.0/10`) that persists regardless of physical location. Tailscale handles NAT traversal, key management, and peer discovery automatically through a coordination server, while all data flows directly between devices via encrypted WireGuard tunnels.

## CLI Quick Reference

```bash
# Authentication & Connection
tailscale up                          # Connect and authenticate
tailscale up --auth-key=<key>         # Connect with pre-auth key
tailscale down                        # Disconnect from tailnet
tailscale login                       # Authenticate without connecting
tailscale logout                      # Disconnect and expire session
tailscale switch <account>            # Switch Tailscale account
tailscale switch --list               # List available accounts

# Status & Info
tailscale status                      # Show connection status
tailscale status --json               # JSON output
tailscale ip                          # Show Tailscale IP
tailscale ip --4                      # IPv4 only
tailscale ip --6                      # IPv6 only
tailscale whois <ip>                  # Identify device/user by IP
tailscale version                     # Show version
tailscale netcheck                    # Network diagnostics

# Connectivity
tailscale ping <hostname>             # Ping over Tailscale
tailscale ping --icmp <hostname>      # ICMP ping
tailscale ssh user@host               # SSH via Tailscale

# Configuration
tailscale set --hostname=<name>       # Set device hostname
tailscale set --ssh                   # Enable Tailscale SSH
tailscale set --advertise-exit-node   # Advertise as exit node
tailscale set --exit-node=<ip|name>   # Use exit node
tailscale set --advertise-routes=<cidr> # Advertise subnet routes
tailscale set --accept-routes         # Accept subnet routes
tailscale set --accept-dns            # Accept MagicDNS
tailscale set --shields-up            # Block incoming connections

# File Sharing (Taildrop)
tailscale file cp <file> <host>:      # Send file
tailscale file get <dir>              # Receive files

# Service Exposure
tailscale serve <port>                # Serve to tailnet (HTTPS)
tailscale serve --http=80 <port>      # Serve HTTP
tailscale serve status                # Show serve config
tailscale serve reset                 # Clear serve config
tailscale funnel <port>               # Expose to internet
tailscale funnel status               # Show funnel config

# Drive Sharing
tailscale drive share <name> <path>   # Share directory
tailscale drive unshare <name>        # Stop sharing
tailscale drive list                  # List shares

# Certificates
tailscale cert <domain>               # Generate TLS cert
tailscale cert --cert-file=<f> --key-file=<f> <domain>

# Exit Nodes
tailscale exit-node list              # List available exit nodes
tailscale exit-node suggest           # Suggest optimal node

# Tailnet Lock
tailscale lock init                   # Initialize Tailnet Lock
tailscale lock status                 # View lock status
tailscale lock sign nodekey:<key>     # Sign a node
tailscale lock add tlpub:<key>        # Add signing node
tailscale lock remove tlpub:<key>     # Remove signing node
tailscale lock disable <secret>       # Disable Tailnet Lock

# Diagnostics
tailscale bugreport                   # Generate bug report
tailscale bugreport --diagnose        # With diagnostics
tailscale dns status                  # DNS resolver status
tailscale metrics print               # Show client metrics

# Updates
tailscale update                      # Update client
tailscale update --dry-run            # Check for updates
```

## Key Features

### MagicDNS

Automatically registers DNS names for tailnet devices. Access machines by hostname (`ssh user@myserver`) instead of IP. Full domain: `<machine>.<tailnet-name>.ts.net`. Enabled by default for new tailnets.

### Tailscale SSH

Replace SSH key management with identity-based access. Run `tailscale set --ssh` on destination, configure SSH ACLs in policy file. Supports check mode requiring periodic re-authentication.

### Funnel

Expose local services to the public internet through encrypted relay. Limited to ports 443, 8443, and 10000. Traffic is end-to-end encrypted through Funnel relay servers.

### Serve

Share local services within the tailnet. Supports reverse proxy, file serving, static text, and TCP forwarding. Auto-provisions HTTPS certificates. Use `-bg` flag for persistence across reboots.

### Taildrop

Peer-to-peer encrypted file transfer between tailnet devices. Send with `tailscale file cp`, receive with `tailscale file get`.

### Exit Nodes

Route all internet traffic through a designated tailnet device. Use for travel security, geo-access, or compliance. Supports Mullvad exit nodes for commercial VPN integration.

### Subnet Routers

Extend tailnet to devices without Tailscale installed. Advertise routes with `tailscale set --advertise-routes=<cidr>`, approve in admin console or via autoApprovers.

### Peer Relays

Client-to-client relay fallback when direct connections fail. Higher throughput than DERP relays. Configure with `tailscale set --advertise-peer-relay`.

### Tailscale Services

Define stable virtual services with TailVIPs and MagicDNS names, independent of hosting devices. Supports high availability and granular access controls.

## Docker & Containers

```bash
# Pull official image
docker pull tailscale/tailscale:latest

# Run with auth key
docker run -d \
  -e TS_AUTHKEY=tskey-auth-... \
  -e TS_HOSTNAME=my-container \
  -e TS_STATE_DIR=/var/lib/tailscale \
  -v ts-state:/var/lib/tailscale \
  tailscale/tailscale:latest
```

Key environment variables: `TS_AUTHKEY`, `TS_HOSTNAME`, `TS_STATE_DIR`, `TS_ROUTES`, `TS_USERSPACE`, `TS_EXTRA_ARGS`, `TS_ACCEPT_DNS`, `TS_ENABLE_HEALTH_CHECK`, `TS_ENABLE_METRICS`.

Use sidecar pattern with `network_mode: service:tailscale` for other containers.

## ACL Policy Basics

```jsonc
{
  // Groups for role-based access
  "groups": {
    "group:engineering": ["user@example.com"],
  },
  // Tag ownership
  "tagOwners": {
    "tag:server": ["group:engineering"],
  },
  // Access rules (deny-by-default)
  "acls": [
    {
      "action": "accept",
      "src": ["group:engineering"],
      "dst": ["tag:server:*"],
    },
  ],
  // SSH access
  "ssh": [
    {
      "action": "accept",
      "src": ["group:engineering"],
      "dst": ["tag:server"],
      "users": ["root"],
    },
  ],
  // Auto-approve routes
  "autoApprovers": {
    "routes": { "10.0.0.0/8": ["tag:server"] },
    "exitNode": ["tag:server"],
  },
}
```

Use huJSON format (comments and trailing commas allowed). Grants are the recommended modern alternative to ACLs.

## Reference Files

- **`references/cli-reference.md`** - Complete CLI command reference with all subcommands, flags, and usage patterns
- **`references/networking.md`** - MagicDNS, subnet routers, exit nodes, DERP, NAT traversal, containers, Kubernetes
- **`references/acls-security.md`** - ACL policy syntax, grants, groups, tags, SSH ACLs, auth keys, API, Tailnet Lock

## Common Troubleshooting

| Issue                     | Command                                        |
| ------------------------- | ---------------------------------------------- |
| Check connection status   | `tailscale status`                             |
| Network diagnostics       | `tailscale netcheck`                           |
| Test peer connectivity    | `tailscale ping <host>`                        |
| DNS resolution issues     | `tailscale dns status`                         |
| Generate bug report       | `tailscale bugreport --diagnose`               |
| Check daemon logs (Linux) | `journalctl -u tailscaled`                     |
| Check daemon logs (macOS) | `log show --predicate 'process=="tailscaled"'` |
| Force reconnect           | `tailscale down && tailscale up`               |
| Verify routes             | `tailscale status --json \| jq '.Peer'`        |

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.