Tailscale CLI

tailscale is the device-side CLI for joining a tailnet, configuring how a machine participates in it, and inspecting peer or connection state. It also exposes higher-level operations like Tailscale SSH, Taildrop file transfer, service publishing with serve or funnel, and a few workflow helpers such as Kubernetes kubeconfig generation.

• Bring a machine onto a tailnet, change local settings such as routes, tags, exit nodes, DNS, or built-in SSH, and verify whether the node is connected.
• Inspect peer identity and reachability with status, ping, whois, ip, exit-node, and netcheck, then use that state in follow-up shell automation.
• Move work across the network by SSHing to peers, sending files with Taildrop, generating kubeconfig entries for Tailscale-connected clusters, or exposing local services with serve and funnel.

• The command surface is broad and mostly non-interactive once a node is installed and authenticated, which makes it useful for machine bring-up, remote access, network diagnostics, and service publishing loops.
• Structured output is real but uneven: status, up, whois, serve status, funnel status, and parts of Tailnet Lock expose JSON, while many other commands remain text-first and some JSON formats are explicitly unstable.
• Best fit is host-level automation rather than org-wide administration, because most commands act through the local tailscaled daemon and inherit that machine's auth, OS privileges, and connectivity.

• Many workflows require a running tailscaled daemon and sometimes root or sudo; without auth keys, initial login can open browser-driven flows.
• serve, funnel, and some configuration paths can prompt for confirmation unless flags are prearranged, and several commands document alpha or format-stability caveats.