Overview

Tailscale provides two main capabilities for collaboration:

  1. Tailscale SSH: Secure SSH access without managing keys
  2. Network Invitations: Adding users to your tailnet or sharing specific devices

Tailscale SSH

What is Tailscale SSH?

  • SSH connections between devices in your Tailscale network
  • No SSH key management required
  • Authentication via WireGuard
  • Access controlled by ACL policies

Enabling SSH on Your Machine

Method 1: Command Line

Terminal window
tailscale set --ssh

Method 2: Admin Console

  1. Log into https://login.tailscale.com/admin
  2. Find the device you want to enable SSH on
  3. Toggle “Allow Tailscale SSH” in machine settings

Configuring Access Controls

Edit ACL rules at https://login.tailscale.com/admin/acls:

{
  "ssh": [
    {
      "action": "accept",
      "src": ["autogroup:members"],
      "dst": ["tag:pi"],
      "users": ["*"]
    }
  ]
}

Key Fields:

  • src: Who can SSH (e.g., autogroup:members for all tailnet members)
  • dst: Which machines can be accessed (e.g., tag:pi for tagged devices)
  • users: Which system users can be accessed (* = all, autogroup:nonroot = non-root only)

SSH Access Rules & Restrictions

Allowed SSH Connections:

  • ✅ From a user to their own devices (as any user including root)
  • ✅ From a user to tagged devices (as any user including root)
  • ✅ From a user to shared tagged devices (as any user including root)

Key Restriction - Device Ownership:

⚠️ Critical: Tailscale does NOT let a user start an SSH session on a user-owned device unless the source is a device owned by the same user.

What this means:

  • If you invite someone to your tailnet, you CANNOT SSH into their personal devices (laptops, desktops they own)
  • Even with ACL rules configured, user-owned devices are protected
  • This is a security feature to prevent unauthorized access to personal machines

Workarounds for accessing invited users’ machines:

  1. Device Tagging: The invited user can tag their device (makes it non-user-owned)
  2. Device Sharing: They can explicitly share their device with you
  3. Shared Servers: Use tagged servers/VMs that aren’t user-owned

Security Notes

  • If you include autogroup:nonroot in the users field, anyone permitted by src can SSH as any nonroot user
  • Access is determined by your tailnet ACL policies
  • All connections are encrypted via WireGuard
  • User accounts must already exist on the host - Tailscale won’t create them

Network Invitations

Two Approaches

Option 1: Full Tailnet Invitation

When to use: Sharing multiple devices, ongoing collaboration, team members

Capabilities:

  • Invited user joins your entire Tailscale network
  • Can access any device/service allowed by ACLs
  • Works with any identity provider (Gmail, Apple, Microsoft, passkeys)
  • Invites expire after 30 days if unused

How to invite:

  1. Open the Users page in admin console
  2. Select “Invite external users”
  3. Add email address for each user
  4. Send invitation URL

Requirements:

  • Must be Owner, Admin, or IT admin to send invitations
  • Available on all Tailscale plans

Option 2: Device Sharing

When to use: Limited access, temporary sharing, single device access

Capabilities:

  • Share specific machines only
  • Recipient cannot see other devices on your tailnet
  • No exposure to public internet
  • More restricted than full network invitation

How it works:

  • Share individual machines with external users
  • Access limited to only the shared machine
  • Better security isolation for limited use cases

Choosing Between Invitations vs Sharing

FeatureFull Tailnet InvitationDevice Sharing
Access scopeEntire network (ACL-controlled)Single device only
Best forMultiple devices, teamsLimited/temporary access
ManagementUser management requiredPer-device sharing
SecurityACL-based permissionsIsolated access

Common Use Cases

Personal/Family Use

  • Invite family members to your tailnet
  • Share specific devices (NAS, media server) without full network access
  • Remote support for family computers
  • Note: You can’t SSH into family members’ personal laptops unless they share/tag them

Professional/Contractor Use

  • Invite contractors to specific project resources
  • Share development servers (use tagged devices for contractor SSH access)
  • Temporary access that auto-expires
  • Best practice: Use tagged servers for contractor access, not personal devices

Team Collaboration

  • Add team members with role-based access
  • SSH into shared development environments (tag these servers)
  • Secure remote access for distributed teams
  • Tip: Tag shared infrastructure so any team member can access it

Important Limitations & Notes

General Limitations

  • Unused invitations expire after 30 days
  • ACL policies control all access (both SSH and network)
  • Tailscale SSH requires the destination device to have SSH enabled
  • All connections are authenticated via WireGuard
  • External invites work across all identity providers

SSH-Specific Restrictions

  • Cannot SSH into user-owned devices belonging to other users
  • OS user accounts must already exist on the destination (Tailscale won’t create them)
  • By default, invited users can access your devices (control this with ACLs)
  • Granting autogroup:members access also grants access to external invited users

Shared Device Behavior

  • Shared machines are quarantined by default
  • Quarantined = can receive connections but cannot initiate them
  • Recipients must be Owner, Admin, or IT admin to accept shared machine invitations

Resources

Last Updated: November 22, 2025