Tailscale
This document guides you through the different authentication and configuration options for Tailscale with TSDProxy.
Authentication Methods
TSDProxy supports three authentication methods with Tailscale: OAuth, OAuth (manual), and AuthKey.
OAuth
Prerequisites
- Generate an OAuth client at https://login.tailscale.com/admin/settings/oauth.
- Define tags for services. Tags can be defined in the provider, applying to all services.
Important
All auth keys created from an OAuth client require tags. This is a Tailscale requirement.
Configuration
Add the OAuth client credentials to the TSDProxy configuration:
tailscale:
providers:
default:
clientId: "your_client_id"
clientSecret: "your_client_secret"
tags: "tag:example" # Optional if tags are defined in each proxy
Restart
Restart TSDProxy to apply the changes.
Tip
If the proxy fails to authenticate after restarting, check the error logs. Ensure the tags are correct and the OAuth client is enabled.
OAuth (Manual)
Disable AuthKey
OAuth authentication mode is enabled when no AuthKey is set in the Tailscale provider configuration:
tailscale:
providers:
default:
authKey: ""
authKeyFile: ""
The proxy will wait for authentication with Tailscale during startup.
Dashboard
Access the TSDProxy dashboard (e.g., http://192.168.1.1:8080
).
Authentication
Click on the proxy with “Authentication” status.
Tip
If “Ephemeral” is set to true
, authentication is required at each TSDProxy restart.
AuthKey
Generate AuthKey
- Go to https://login.tailscale.com/admin/settings/keys.
- Click “Generate auth key”.
- Add a description.
- Enable “Reusable”.
- Add tags if needed.
- Click “Generate key”.
Warning
If tags are added to the key, all proxies initialized with the same AuthKey will receive the same tags. To use different tags, add a new Tailscale provider to the configuration.
Configuration
Add the AuthKey to the TSDProxy configuration:
tailscale:
providers:
default:
authKey: "YOUR_GENERATED_KEY_HERE"
authKeyFile: ""
Restart
Restart TSDProxy to apply the changes.
Funnel
In addition to configuring TSDProxy to enable Funnel, you need to grant permissions in the Tailscale ACL. See Troubleshooting for more details. Also read Tailscale’s Funnel documentation for requirements and limitations.
Tags
- Tags are required for OAuth authentication.
- Tags only work with OAuth authentication.
- Tags can be configured in the provider or service.
- If tags are defined in the provider, they apply to all services.
- If tags are defined in the service, provider tags are ignored.